Re: [whatwg] Cross-Origin Cookies Sharing Proposal
On Fri, 21 Jun 2013, Huan Du wrote: As privacy awareness becomes prevelant, the trend is that future browsers are going to ban third-party Cookies by default. This is a good thing for users, but for giant internet companies, this has no doubt increases the difficult and complexity of implementing user session synchronization. Is it possible to, like Cross-Origin Resource Sharing, allow a site to indicate which domains it would like to share Cookies with? Why would a user be ok with sharing cookies with these sites if they're not ok with sharing them otherwise? I don't really understand what the user threat model is here. On Fri, 21 Jun 2013, Nils Dagsson Moskopp wrote: I have a suspicion that the only thing that cannot be done easily without cookies is tracking – that is, pretending that a user has an account, but ensuring that she has not made that choice consciously. That's pretty easy to do even without cookies or other storage mechanisms. You can fingerprint a user pretty precisely. On Sat, 22 Jun 2013, Huan Du wrote: There are 3 web sites in Alibaba at least: taobao.com, tmall.com, etao.com. all of them are using a same account management system including Sign up, Sign in. The requirement is simple for the account management system. when user A signed in taobao.com, we expect A is signed in tmall.com and etao.com. Right. There are lots of cases such as this where third-party cookies (or a similar mechanism) are an integral part of the experience. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] Cross-Origin Cookies Sharing Proposal
Hi Mountie, I think they are different experiences. we want a smooth solution. Regards, Charlie 2013/6/24 Mountie Lee moun...@paygate.net for SSO, did you tried SAML or OAuth? On Sat, Jun 22, 2013 at 12:00 PM, Huan Du dh20...@gmail.com wrote: Nils, Thanks for your feedback. There are 3 web sites in Alibaba at least: taobao.com, tmall.com, etao.com. all of them are using a same account management system including Sign up, Sign in. The requirement is simple for the account management system. when user A signed in taobao.com, we expect A is signed in tmall.com and etao.com. Regards, Charlie 2013/6/22 Nils Dagsson Moskopp n...@dieweltistgarnichtso.net Huan Du dh20...@gmail.com schrieb am Fri, 21 Jun 2013 19:49:39 +0800: As privacy awareness becomes prevelant, the trend is that future browsers are going to ban third-party Cookies by default. This is a good thing for users, but for giant internet companies, this has no doubt increases the difficult and complexity of implementing user session synchronization. I have a suspicion that the only thing that cannot be done easily without cookies is tracking – that is, pretending that a user has an account, but ensuring that she has not made that choice consciously. Everything else, so it seems to me, can be done RESTful. Am I wrong? Is it possible to, like Cross-Origin Resource Sharing, allow a site to indicate which domains it would like to share Cookies with? The user account management system of Alibaba have encountered this issues and been troubled by this issue. It there's a proposal like this, it would be very nice. Can you elaborate? Why would an account management system need sessions? -- Nils Dagsson Moskopp // erlehmann http://dieweltistgarnichtso.net -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net === PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Re: [whatwg] Cross-Origin Cookies Sharing Proposal
Sure, it is an implementation issue, but I think the standardization should let it be easy. Like the tags header, footer... why we need them? right? Regards Charlie 在 2013-6-25,8:49,Mountie Lee moun...@paygate.net I think it is about not for standardization issue but for implementation issue. On Mon, Jun 24, 2013 at 7:06 PM, Huan Du dh20...@gmail.com wrote: Hi Mountie, I think they are different experiences. we want a smooth solution. Regards, Charlie 2013/6/24 Mountie Lee moun...@paygate.net for SSO, did you tried SAML or OAuth? On Sat, Jun 22, 2013 at 12:00 PM, Huan Du dh20...@gmail.com wrote: Nils, Thanks for your feedback. There are 3 web sites in Alibaba at least: taobao.com, tmall.com, etao.com. all of them are using a same account management system including Sign up, Sign in. The requirement is simple for the account management system. when user A signed in taobao.com, we expect A is signed in tmall.com and etao.com. Regards, Charlie 2013/6/22 Nils Dagsson Moskopp n...@dieweltistgarnichtso.net Huan Du dh20...@gmail.com schrieb am Fri, 21 Jun 2013 19:49:39 +0800: As privacy awareness becomes prevelant, the trend is that future browsers are going to ban third-party Cookies by default. This is a good thing for users, but for giant internet companies, this has no doubt increases the difficult and complexity of implementing user session synchronization. I have a suspicion that the only thing that cannot be done easily without cookies is tracking �C that is, pretending that a user has an account, but ensuring that she has not made that choice consciously. Everything else, so it seems to me, can be done RESTful. Am I wrong? Is it possible to, like Cross-Origin Resource Sharing, allow a site to indicate which domains it would like to share Cookies with? The user account management system of Alibaba have encountered this issues and been troubled by this issue. It there's a proposal like this, it would be very nice. Can you elaborate? Why would an account management system need sessions? -- Nils Dagsson Moskopp // erlehmann http://dieweltistgarnichtso.net -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net === PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : moun...@paygate.net === PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Re: [whatwg] Cross-Origin Cookies Sharing Proposal
Huan Du dh20...@gmail.com schrieb am Fri, 21 Jun 2013 19:49:39 +0800: As privacy awareness becomes prevelant, the trend is that future browsers are going to ban third-party Cookies by default. This is a good thing for users, but for giant internet companies, this has no doubt increases the difficult and complexity of implementing user session synchronization. I have a suspicion that the only thing that cannot be done easily without cookies is tracking – that is, pretending that a user has an account, but ensuring that she has not made that choice consciously. Everything else, so it seems to me, can be done RESTful. Am I wrong? Is it possible to, like Cross-Origin Resource Sharing, allow a site to indicate which domains it would like to share Cookies with? The user account management system of Alibaba have encountered this issues and been troubled by this issue. It there's a proposal like this, it would be very nice. Can you elaborate? Why would an account management system need sessions? -- Nils Dagsson Moskopp // erlehmann http://dieweltistgarnichtso.net
Re: [whatwg] Cross-Origin Cookies Sharing Proposal
Daniel, Thanks for your information, i 'll read it carefully. Regards, Charlie 2013/6/22 Daniel Veditz dved...@mozilla.com On 6/21/2013 11:09 AM, Daniel Veditz wrote: This makes partial-blocking a somewhat hard-sell: still breaks some content, and still angers the privacy advocates because it allows things like facebook and G+ buttons to track you (for most values of you). Apparently Mozilla is joining Stanford, Opera and others in forming a Cookie Clearinghouse to design a more nuanced solution https://brendaneich.com/2013/06/the-cookie-clearinghouse/ -Dan Veditz
Re: [whatwg] Cross-Origin Cookies Sharing Proposal
Nils, Thanks for your feedback. There are 3 web sites in Alibaba at least: taobao.com, tmall.com, etao.com. all of them are using a same account management system including Sign up, Sign in. The requirement is simple for the account management system. when user A signed in taobao.com, we expect A is signed in tmall.com and etao.com. Regards, Charlie 2013/6/22 Nils Dagsson Moskopp n...@dieweltistgarnichtso.net Huan Du dh20...@gmail.com schrieb am Fri, 21 Jun 2013 19:49:39 +0800: As privacy awareness becomes prevelant, the trend is that future browsers are going to ban third-party Cookies by default. This is a good thing for users, but for giant internet companies, this has no doubt increases the difficult and complexity of implementing user session synchronization. I have a suspicion that the only thing that cannot be done easily without cookies is tracking – that is, pretending that a user has an account, but ensuring that she has not made that choice consciously. Everything else, so it seems to me, can be done RESTful. Am I wrong? Is it possible to, like Cross-Origin Resource Sharing, allow a site to indicate which domains it would like to share Cookies with? The user account management system of Alibaba have encountered this issues and been troubled by this issue. It there's a proposal like this, it would be very nice. Can you elaborate? Why would an account management system need sessions? -- Nils Dagsson Moskopp // erlehmann http://dieweltistgarnichtso.net