>> Should we special-case the cookie value "OPT_OUT"? It would be unfortunate indeed if removing old cookies meant that users who had opted out of interest-based advertising started being targeted again. Perhaps excluding the special value OPT_OUT (and asking advertisers to standardize on it?) is justifiable.
Likewise, instead of using technical measures to stop websites from acquiring analytics, we can make them pinky-swear to delete out data. This simply cannot go wrong.
Can we change the clickbaity headline? This is a Google employee, but there is no evidence in that repo that supports the claim that "Google has plans".
Speaking with some amount of experience working with people on that team: his role at Google is precisely what you see him doing here—deprecating insecure fundamental components of the web.
A proposal like this wouldn't have been approved for public release if the rest of the Chromium security team didn't see merit to it.
Everyone keeps calling him "some guy." Mike West is attached to a number of similar RFCs.
That all being said, I wouldn't immediately discount the idea even if it only turns out to be a research exercise.
I think so as well. The intent of this write-up is explicitly to advocate for a practice to "Expire cookies early". "Depreciate" might not be the perfect word, but "deprecate" is outright misleading.
One of my earliest memories of professional programming was talking to another dev, many years my senior in experience, about a "deprecated" API. They insisted the word was "depreciated". I didn't push it for the conversation, but afterwards triple-double-checked I wasn't crazy. Nearly 20 years later, I still feel I might be using the word wrong.
Might cause an issue for WiFi access portals in short term. Not really related, more of a side effect of poor implementations. Some use cookies to route around settings, I’ve had trouble with in past.
It's not the 90's... WebApps and PWA's require JS. And Javascript in browser is secure as it is sandboxed. Minute privacy concerns are not enough for 99.9% of the people to disable js either.
24 comments
[ 3.0 ms ] story [ 45.3 ms ] threadStill suggesting the Evil Bit? https://www.ietf.org/rfc/rfc3514.txt
Likewise, instead of using technical measures to stop websites from acquiring analytics, we can make them pinky-swear to delete out data. This simply cannot go wrong.
https://groups.google.com/a/chromium.org/forum/#!topic/blink...
A proposal like this wouldn't have been approved for public release if the rest of the Chromium security team didn't see merit to it.
Everyone keeps calling him "some guy." Mike West is attached to a number of similar RFCs.
That all being said, I wouldn't immediately discount the idea even if it only turns out to be a research exercise.
I’m not familiar with their workflow but it looks like something that the development team is considering, not random babbling from a random employee.
Technically yes, it's the Blink team that has plans to deprecate, but that is effectively Google.