AramZS · November 13, 2025 09:07
diff --git a/irclog.txt b/irclog.txt
 channel
 [17:06:19]  <AramZS> present+
 [17:06:36]  <AramZS> Johann Hofmann presenting 
 [17:06:50]  <ErikAnderson> present+
 [17:07:07]  <AramZS> scribe+
 [17:07:09]  <AramZS> Cookie layering - want to specify a few major points 
 [17:07:15]  <AramZS> interop issues
 [17:07:36]  tako (~tako@6b13c2d6.publics.cloak) joined the channel
 [17:07:42] AramZS is not dealing with the mess that is matrix if someone is minute-ing there
 [17:07:52]  <AramZS> We have a bunch of behaviors that sides are not willing to change 
 [17:08:10]  <AramZS> Chrome is not depreciating third party cookies and that won't change 
 [17:08:17]  <AramZS> so now we have to deal with interop issues
 [17:08:20]  <ErikAnderson> q+
 [17:08:20] Zakim sees ErikAnderson on the speaker queue
 [17:08:24]  <AramZS> Ben brought this up in privacycg 
 [17:08:27]  <niklasmerz> present+
 [17:08:40]  <AramZS> It isn't a direct problem but we want to progress towards interop 
 [17:09:10]  <AramZS> John W: I just wanted to say that I've been saying to a few people that used to work on privacy sandbox that I don't think we've seen the last chapter here
 [17:09:15]  <AramZS> it is very unf for the web platform 
 [17:09:29]  <niklasmerz> big +1 on third party cookie breakage. The situation is very weird on WebViews
 [17:09:29]  <AramZS> such a fundamental piece of tech is significantly bifurcated 
 [17:09:39]  <AramZS> that is not a great outcome of whatever happened 
 [17:09:52]  <AramZS> The people who made us end up here got in the way of a web standards process 
 [17:10:01]  <AramZS> It should have been figured out here and it got disrupted. 
 [17:10:19]  <AramZS> Johann: did we want to discuss breakage and how we're dealing with it? 
 [17:10:41]  <AramZS> John W: Matthew has been dealing with site compatibility 
 [17:11:10]  <AramZS> The long tail of sites that require some sort of account you can't just sign up for that you can't easily get test accounts for. We just get reports it is broken b/c of third party cookies
 [17:11:16]  johannhof (~johannhof@6b13c2d6.publics.cloak) joined the channel
 [17:11:42]  <AramZS> Matthew: (webkit) I've had conversations with Johann and ben and we've tried to deal with situations where the browser doesn't handle these things by default 
 [17:12:22]  <AramZS> We've tried to accommodate per-site quirks and have had small success with webkit, esp with CHIPs for partition cookies which let you use cookies within a third party context but not use the user's actual cookies
 [17:12:25]  <AramZS> we are exploring this
 [17:13:24]  <AramZS> On: potentially developing a shared list of websites where we know 3p cookies are needed in some way (partitioned cookies or if the relationship is 1st party and the site should be relying on the storage access api and we can use quirks there) it could be useful to maintain that list 
 [17:13:38]  <johannhof> q?
 [17:13:38] Zakim sees ErikAnderson on the speaker queue
 [17:13:40]  <AramZS> esp across UA providers 
 [17:14:04]  miketaylr (~uid669723@6c65f1b9.public.cloak) joined the channel
 [17:14:08]  dwaite (~dwaite@6b13c2d6.publics.cloak) joined the channel
 [17:14:46]  bvandersloot (~bvandersloot@6b13c2d6.publics.cloak) joined the channel
 [17:14:51]  <AramZS> ErikAnderson: I think I asked this in some way before. Chrome Incognito has a partitioned   behavior and there is still a 3p block cookie settings 
 [17:14:54]  <bvandersloot> present+
 [17:15:16]  ErikAnderson (~ErikAnderson@6b13c2d6.publics.cloak) left IRC
 [17:15:20]  <dwaite> present+
 [17:15:26]  <AramZS> Taylor: Chrome - blocking cookies in Chrome gives you partitioned cookies 
 [17:15:36]  <AramZS> This isn't the same as incognito where there are no third party cookies
 [17:15:39]  <AramZS> those are blocked by default
 [17:15:48]  <AramZS> CHIPS works though in incognito mode
 [17:15:48]  wbamberg (~wbamberg@6b13c2d6.publics.cloak) joined the channel
 [17:17:02]  <AramZS> ErikAnderson: given that there is no longer a change in default behavior and no longer inducing a change. Is it possible there's an option for chrome users to opt in to the same behavior as Firefox and Webkit? That would give more reason for people to move their sites to match that experience. 
 [17:17:12]  Ehsan (~Ehsan@6b13c2d6.publics.cloak) joined the channel
 [17:17:20]  <AramZS> We still have convos about what are the limits of CHIPS etc... is it easier now for an aligned behavior ? 
 [17:17:37]  <AramZS> johannhof: we're willing to talk about what that mode does but can't change the default behavior. 
 [17:17:56]  <AramZS> ErikAnderson: incognito mode might make this harder since it has a different default? 
 [17:18:13]  <AramZS> Can we make it so incognito and no-3p mode has the same behavior? 
 [17:18:31]  sisidovski (~sisidovski@6b13c2d6.publics.cloak) joined the channel
 [17:18:33]  <AramZS> johannhof: I will take that feedback. Also talking about a shared list is something tha thas come up before. 
 [17:18:45]  <AramZS> Partitioned cookies default behavior
 [17:19:36]  <AramZS> bvandersloot: Firefox partition by default. Chrome incog and Safari block them. The challenge is that for us partition by default is a good compat mechanism that stops us from having to intervene with sites and for that reason changing is very hard for us to ship.
 [17:19:41]  <johannhof> q?
 [17:19:42] Zakim sees ErikAnderson on the speaker queue
 [17:19:47]  <AramZS> John W.: how many sites get unbroken? 
 [17:19:48]  ErikAnderson (~ErikAnderson@6b13c2d6.publics.cloak) joined the channel
 [17:19:51]  <AramZS> ack ErikAnderson
 [17:19:52] Zakim sees no one on the speaker queue
 [17:20:24]  <AramZS> bvandersloot: Not really - there are deeper behaviors like carts or sign ins or other cross site behaviors means it is very hard to get even a manual estimate. 
 [17:21:06]  <AramZS> Is there a resolution we see to this? interop issues don't get better over time. What's the realistic option towards convergence. Either Chrome switches to partition or block. 
 [17:21:21]  <AramZS> Matthew: we've heard that some sites would still like to opt out of 3p cookies if possible. 
 [17:21:32]  <AramZS> maybe we need a followup to CHIPS that allows for opt out of 3p 
 [17:22:08]  bvandersloot (~bvandersloot@6b13c2d6.publics.cloak) left IRC
 [17:22:22]  <AramZS> It would be on the header or for an iframe. Not the first party 
 [17:23:08]  <AramZS> ???: This particular party might need to be for cross origin document - they need to know that they are being loaded cross origin and what their relationship is to the origin frame and then we wouldn't need to know about it 
 [17:23:29]  <AramZS> or rather the embedded entity wouldn't need to worry about partitions
 [17:23:37]  <AramZS> q?
 [17:23:37] Zakim sees no one on the speaker queue
 [17:23:51]  <AramZS> q+ to ask about opt out of third party cookies header
 [17:23:51] Zakim sees AramZS on the speaker queue
 [17:24:16]  cfredric (~cfredric@6b13c2d6.publics.cloak) joined the channel
 [17:24:30]  <AramZS> John W: when dealing with same site lax by default any change to the cookie behavior will break some weird behavior and then there is a mad rush to unship changes. Don't touch that default cookie behavior 
 [17:24:33]  <AramZS> ack AramZS
 [17:24:33]  <Zakim> AramZS, you wanted to ask about opt out of third party cookies header
 [17:24:34] Zakim sees no one on the speaker queue
 [17:24:54]  <miketaylr> AramZS: are we going to talk about the proposal to block 3P cookies?
 [17:24:59]  <miketaylr> johannhof: yes
 [17:25:21]  <AramZS> johannhof: stalemate situation and we can't move that much. Maybe we can explore partitioning
 [17:25:27]  <miketaylr> q+
 [17:25:27] Zakim sees miketaylr on the speaker queue
 [17:25:29]  dwaite (~dwaite@6b13c2d6.publics.cloak) left IRC
 [17:25:47]  <AramZS> bvandersloot: we can consider blocking as well. it was scary last time 
 [17:25:51]  bvandersloot (~bvandersloot@6b13c2d6.publics.cloak) joined the channel
 [17:26:31]  <AramZS> kleber: Have you considered trying to give the people who encounter breakage a partitioned cookie option? 
 [17:26:49]  <AramZS> Then you could collect data about the potential benefits of a more firefoxy model
 [17:27:02]  Haruki (~Haruki@6b13c2d6.publics.cloak) joined the channel
 [17:27:03]  <AramZS> John W: we did add a way for regular users to tell us if stuff is broken 
 [17:27:15]  <AramZS> the reports are hard to parse - sometimes people are just angry about something 
 [17:27:24]  <AramZS> Figuring out that it is cookies is hard. 
 [17:27:41]  <AramZS> johannhof: the most popular sites to get reported tend to be ones that just have basic network errors. 
 [17:27:41]  JoelA (~JoelA@6b13c2d6.publics.cloak) joined the channel
 [17:28:16]  <AramZS> John W: ex of a deep investigation - US Census site. It turned out that one of their load balancers sent a double CSP header and we still had a legacy CSP header implementation and they had slightly diff policies 
 [17:29:39]  <AramZS> ack miketaylr
 [17:29:39] Zakim sees no one on the speaker queue
 [17:29:50]  <ErikAnderson> q+ because Johann said I need to be in it
 [17:29:50] Zakim ErikAnderson, you typed too many words without commas; I suspect you forgot to start with 'to ...'
 [17:29:53]  <ErikAnderson> q+
 [17:29:53] Zakim sees ErikAnderson on the speaker queue
 [17:30:10]  <AramZS> miketaylr: We tried to investigate that behavior and tried to figure out what broke and never really discovered it. 
 [17:30:31]  <AramZS> ErikAnderson: sites do sometimes hard code browser engine assumptions
 [17:30:36]  <AramZS> ack ErikAnderson
 [17:30:36] Zakim sees no one on the speaker queue
 [17:30:54]  <AramZS> John W: it sometimes solves that problem and introduces 10 others 
 [17:31:10]  <AramZS> johannhof: samesite lax by default how do we solve?
 [17:31:31]  <AramZS> I think there was a possible way when chrome was still on the path with chrome going to samesite none by default and storageaccess headers 
 [17:31:36]  <AramZS> right now I don't know
 [17:31:57]  <AramZS> both browsers wanted to go to lax by default at one point is there still an option? 
 [17:32:12]  <AramZS> John W: we did it and it was theoretically and improvement but then a bunch of stuff broke 
 [17:32:24]  <AramZS> We shipped and a bunch of enterprise sites broke and complained. 
 [17:32:42]  <AramZS> We liked the change in theory
 [17:33:05]  <AramZS> Matthew: we can't detect the problem until we ship and then it hits us with a problem and it take a while to unship 
 [17:33:30]  <AramZS> johannhof: it sounds like it is really hard to find it in the ecosystem it is hidden to us and we can't crawl for it? 
 [17:34:39]  <AramZS> John W: when we made them samesite lax by default. When we go back in time the orig only had lax and strict and Chrome proposed and implemented None and when we didn't recognize the value we defaulted to strict so when servers started sending us None we did the complete opposite. Sites started to do 'if safari never set samesite to none' 
 [17:34:51]  <AramZS> so when we flipped to lax they refused to set to samesite none and it became lax
 [17:34:58]  <AramZS> q?
 [17:34:59] Zakim sees no one on the speaker queue
 [17:35:21]  <AramZS> Do you remember that google deved server side code to know if they could start setting specific samesite settings?
 [17:35:34]  <miketaylr> https://bugs.webkit.org/show_bug.cgi?id=198181
 [17:35:36]  <AramZS> because this was in our HTTP layer it took 3 years to get it out of our versions, totally different hting. 
 [17:36:05]  <AramZS> Why is chrome not willing to do samesite none by default?
 [17:36:16]  <AramZS> johannhof: security boundary issue 
 [17:36:39]  sisidovski (~sisidovski@6b13c2d6.publics.cloak) left IRC
 [17:36:46]  <AramZS> If you were in touch with the people for whom this was broken for did they fix it? 
 [17:36:59]  <AramZS> ErikAnderson: they sniffed it
 [17:37:24]  <AramZS> John W: the one or two people who did fix it were good but we realized it must have been a pretty long tail of people with issues
 [17:37:38]  karlcow (~karlcow@6c65f1b9.public.cloak) joined the channel
 [17:38:10]  <AramZS> ???: I have an idea - collective depreciation is something we do? can we depreciate cookies without samesite are depreciated? 
 [17:38:44]  <AramZS> bvandersloot: for a collective issue like TLS it might make sense 
 [17:38:56]  <cfredric> s/???/annevk/
 [17:39:02]  <AramZS> johannhof: would be good to make progress on this better than once a year
 [17:39:32]  <AramZS> Edgar: from mozilla - +1 on hard to diagnose issues. We've also been theorizing partial cookie removal is an issue 
 [17:39:39]  <AramZS> how should we deal with the global cookie max
 [17:39:50]  <AramZS> right now the current way in both specs is ordering by last access 
 [17:39:54]  <AramZS> q?
 [17:39:54] Zakim sees no one on the speaker queue
 [17:40:09]  <AramZS> then we are in a state where a host is purged partially 
 [17:40:13]  <AramZS> q+
 [17:40:21] Zakim sees AramZS on the speaker queue
 [17:40:27]  <AramZS> annevk: is anyone around who worked on this? 
 [17:40:37]  <AramZS> Seems like it goes back to netscape
 [17:41:04]  <AramZS> mt: a lot of websites tolerate cookies disappearing piecemeal ? 
 [17:41:04]  <karlcow> For history https://github.com/webcompat/web-bugs/issues?q=label%3A%22type-cookie-sameSite%22
 [17:41:04]  <karlcow> https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
 [17:41:55]  <AramZS> annevk: just sort of deletes the furthest cookies set from the present 
 [17:42:06]  <AramZS> ????: might be ordered by security. 
 [17:42:15]  <AramZS> ack AramZS
 [17:42:21] Zakim sees no one on the speaker queue
 [17:42:35]  <ErikAnderson> s/????/mikewest
 [17:42:35]  <miketaylr> AramZS: as a site owner, we have a whole suite around managing the fact that cookies randomly disappear
 [17:42:56]  <miketaylr> AramZS: it's unpredictable and causes problems. we have 2 pieces: we try to reapply the important cookies
 [17:43:20]  <miketaylr> ... and have a cookie monster that removes non-essential cookies for whatever reason. it sucks, but others probably do similar
 [17:43:23]  <ErikAnderson> q+ mikewest
 [17:43:24] Zakim sees mikewest on the speaker queue
 [17:43:51]  <AramZS> John W: I think maybe a major use newspaper we got reports on seemingly random logouts and it was really just too many cookies for the cookie header and it was kind of random which ones got cut off 
 [17:43:59]  <ErikAnderson> ack next
 [17:44:00] Zakim sees mikewest at the head of the speaker queue
 [17:44:00] Zakim sees no one on the speaker queue
 [17:44:51]  <AramZS> Mikewest: Within a lot of enterprises that have multiple subdomains and set a lot of cookies chrome has found it impossible to handle priority. Sites find it very valuable to prioritize cookies to be deleted. Chrome can't remove that process
 [17:45:21]  <AramZS> When sorting the list of cookies to use we delete low priority before high priority but I don't recall exactly how it is set. 
 [17:45:46]  <AramZS> johannhof: It would have a good interop impact if we make a change on this one
 [17:46:10]  <AramZS> mikewest: Changing to delete all the cookies would be something we could do. When we changed sorting to be on secure it broke websites. 
 [17:46:20]  JoelA (~JoelA@6b13c2d6.publics.cloak) left IRC
 [17:46:30]  <AramZS> I am reluctant to touch cookie sorting making it atomic would be safe but surprising. 
 [17:47:00]  <miketaylr> annevk: would you prefer atomic aram?
 [17:47:12]  <miketaylr> AramZS: that doesn't seem like it would be any better
 [17:47:24]  <miketaylr> ErikAnderson: you don't have the mystery of hunting for a missing cookie
 [17:47:35]  <miketaylr> AramZS: maybe i'm the wrong person to ask
 [17:48:12]  <AramZS> Ed: I am willing to write up a proposal 
 [17:48:13]  <miketaylr> AramZS: i'd be interested in seeing a proposal, unsure if helpful.
 [17:49:37]  <AramZS> Microsoft/Xander: From an ad tech perspective given the amount of time this happens it would be worse if it was atomic and everything was deleted 
 [17:49:53]  <AramZS> mt: if you don't have priority set it would be atomic and then if you do it would go down the list. 
 [17:50:31]  <AramZS> If you have priorities you'd go through and do the lowest priority one until you felt you hit the save amount. 
 [17:51:56]  <AramZS> Isaac F: Atomic means all cookies  have to go away means all cookies are set. I like the priority idea maybe that would be a fine way to do that. 
 [17:52:18]  <AramZS> s/Microsoft/Isaac F -
 [17:52:49]  <AramZS> John W: actual atomic I don't think is possible cookies on memory and cookies on disk and you don't want to block all networking while deleting cookies. 
 [17:53:05]  <AramZS> mt: there's always a risk 
 [17:53:29]  <AramZS> johannhof: two proposals to discuss from Google 
 [17:53:43]  <AramZS> [slide] Origin Bound cookies
 [17:53:58]  <AramZS> A really cool proposals that binds cookies to scheme and port by default 
 [17:54:06]  <AramZS> maps very closely to browser understood origin 
 [17:54:33]  <AramZS> split between insecure and secure context mapping is no longer needed it just understand default user security setting. 
 [17:54:49]  <AramZS> Scheme always applies there is a strong binding but you get TLD+1 binding for the domain 
 [17:54:59]  <AramZS> I think it is a really good proposal and would recommend someone check it out
 [17:55:04]  <AramZS> mt: tested for breakage? 
 [17:55:36]  <AramZS> miketaylr: I've been running with these flags for month and good so far. There is also some real data we'll send with intent to ship 
 [17:56:06]  <AramZS> John W: Do you mean when it is bound to a secure scheme do we synthesize it or do we change behavior 
 [17:56:08]  <AramZS> ?
 [17:56:15]  ErikAnderson (~ErikAnderson@6b13c2d6.publics.cloak) left IRC
 [17:56:18]  <AramZS> What about deleting behavior? 
 [17:56:44]  <AramZS> johannhof: we would treat it like secure but not synthesize that setting I believe 
 [17:57:01]  <AramZS> the proposal is not explicitly removing it right now but that might be a followup. 
 [17:57:04]  <AramZS> q?
 [17:57:04] Zakim sees no one on the speaker queue
 [17:57:22]  <AramZS> [slide] Third-Party Cookie Allowlist Header
 [17:57:50]  bvandersloot (~bvandersloot@6b13c2d6.publics.cloak) left IRC
 [17:58:22]  <AramZS> does not mean third party cookies are blocked by default by anyone - if you set none in this allowlist to disallow third party cookies access to specific children. Nothing is forced it is an expression of preference that the browser reads. For security reasons if you want to disallow a particular child the right allowlist settings might handle it
 [17:58:23]  <AramZS> q+
 [17:58:23] Zakim sees AramZS on the speaker queue
 [17:58:56]  <AramZS> This is a name of an explainer and that name on the header might not be great
 [17:58:58]  <AramZS> q-
 [17:58:58] Zakim sees no one on the speaker queue
 [17:59:36]  <AramZS> We struggle to follow up on cookies work. We have a bunch of places where we can discuss it but we should do more work to be systematic and public in meeting about this and discussing next steps. 
 [17:59:52]  <AramZS> John W: cookie community group? 
 [17:59:59]  <AramZS> Well scoped
 [18:00:09]  <AramZS> johannhof: that is worth considering. 
 [18:00:22]  <AramZS> I am not sure there are any problems? 
 [18:00:28]  <AramZS> there are so many problems to solve 
 [18:01:39]  <AramZS> John W: might be able to get cookie only people in a dedicated CG who are not interested in the privacy stuff 
 [18:01:53]  niklasmerz (~niklas@6c65f1b9.public.cloak) left IRC ("Konversation terminated!")
 [18:01:54]  niklas (~niklas@6c65f1b9.public.cloak) joined the channel
 [18:01:57]  <AramZS> johannhof: avoiding the privacywg for this will give us broader stuff to work on potentially.
 [18:02:11]  <AramZS> I will follow up on that suggestion. 
 [18:02:19]  wbamberg (~wbamberg@6b13c2d6.publics.cloak) left IRC
 [18:02:22]  <AramZS> Thanks all! 
 [18:02:22]  camille (~camille@6b13c2d6.publics.cloak) left IRC
 [18:02:26]  <AramZS> RSSAgent, make minutes
	channel
	[17:06:19] <AramZS> present+
	[17:06:36] <AramZS> Johann Hofmann presenting
	[17:06:50] <ErikAnderson> present+
	[17:07:07] <AramZS> scribe+
	[17:07:09] <AramZS> Cookie layering - want to specify a few major points
	[17:07:15] <AramZS> interop issues
	[17:07:36] tako (~tako@6b13c2d6.publics.cloak) joined the channel
	[17:07:42] AramZS is not dealing with the mess that is matrix if someone is minute-ing there
	[17:07:52] <AramZS> We have a bunch of behaviors that sides are not willing to change
	[17:08:10] <AramZS> Chrome is not depreciating third party cookies and that won't change
	[17:08:17] <AramZS> so now we have to deal with interop issues
	[17:08:20] <ErikAnderson> q+
	[17:08:20] Zakim sees ErikAnderson on the speaker queue
	[17:08:24] <AramZS> Ben brought this up in privacycg
	[17:08:27] <niklasmerz> present+
	[17:08:40] <AramZS> It isn't a direct problem but we want to progress towards interop
	[17:09:10] <AramZS> John W: I just wanted to say that I've been saying to a few people that used to work on privacy sandbox that I don't think we've seen the last chapter here
	[17:09:15] <AramZS> it is very unf for the web platform
	[17:09:29] <niklasmerz> big +1 on third party cookie breakage. The situation is very weird on WebViews
	[17:09:29] <AramZS> such a fundamental piece of tech is significantly bifurcated
	[17:09:39] <AramZS> that is not a great outcome of whatever happened
	[17:09:52] <AramZS> The people who made us end up here got in the way of a web standards process
	[17:10:01] <AramZS> It should have been figured out here and it got disrupted.
	[17:10:19] <AramZS> Johann: did we want to discuss breakage and how we're dealing with it?
	[17:10:41] <AramZS> John W: Matthew has been dealing with site compatibility
	[17:11:10] <AramZS> The long tail of sites that require some sort of account you can't just sign up for that you can't easily get test accounts for. We just get reports it is broken b/c of third party cookies
	[17:11:16] johannhof (~johannhof@6b13c2d6.publics.cloak) joined the channel
	[17:11:42] <AramZS> Matthew: (webkit) I've had conversations with Johann and ben and we've tried to deal with situations where the browser doesn't handle these things by default
	[17:12:22] <AramZS> We've tried to accommodate per-site quirks and have had small success with webkit, esp with CHIPs for partition cookies which let you use cookies within a third party context but not use the user's actual cookies
	[17:12:25] <AramZS> we are exploring this
	[17:13:24] <AramZS> On: potentially developing a shared list of websites where we know 3p cookies are needed in some way (partitioned cookies or if the relationship is 1st party and the site should be relying on the storage access api and we can use quirks there) it could be useful to maintain that list
	[17:13:38] <johannhof> q?
	[17:13:38] Zakim sees ErikAnderson on the speaker queue
	[17:13:40] <AramZS> esp across UA providers
	[17:14:04] miketaylr (~uid669723@6c65f1b9.public.cloak) joined the channel
	[17:14:08] dwaite (~dwaite@6b13c2d6.publics.cloak) joined the channel
	[17:14:46] bvandersloot (~bvandersloot@6b13c2d6.publics.cloak) joined the channel
	[17:14:51] <AramZS> ErikAnderson: I think I asked this in some way before. Chrome Incognito has a partitioned behavior and there is still a 3p block cookie settings
	[17:14:54] <bvandersloot> present+
	[17:15:16] ErikAnderson (~ErikAnderson@6b13c2d6.publics.cloak) left IRC
	[17:15:20] <dwaite> present+
	[17:15:26] <AramZS> Taylor: Chrome - blocking cookies in Chrome gives you partitioned cookies
	[17:15:36] <AramZS> This isn't the same as incognito where there are no third party cookies
	[17:15:39] <AramZS> those are blocked by default
	[17:15:48] <AramZS> CHIPS works though in incognito mode
	[17:15:48] wbamberg (~wbamberg@6b13c2d6.publics.cloak) joined the channel
	[17:17:02] <AramZS> ErikAnderson: given that there is no longer a change in default behavior and no longer inducing a change. Is it possible there's an option for chrome users to opt in to the same behavior as Firefox and Webkit? That would give more reason for people to move their sites to match that experience.
	[17:17:12] Ehsan (~Ehsan@6b13c2d6.publics.cloak) joined the channel
	[17:17:20] <AramZS> We still have convos about what are the limits of CHIPS etc... is it easier now for an aligned behavior ?
	[17:17:37] <AramZS> johannhof: we're willing to talk about what that mode does but can't change the default behavior.
	[17:17:56] <AramZS> ErikAnderson: incognito mode might make this harder since it has a different default?
	[17:18:13] <AramZS> Can we make it so incognito and no-3p mode has the same behavior?
	[17:18:31] sisidovski (~sisidovski@6b13c2d6.publics.cloak) joined the channel
	[17:18:33] <AramZS> johannhof: I will take that feedback. Also talking about a shared list is something tha thas come up before.
	[17:18:45] <AramZS> Partitioned cookies default behavior
	[17:19:36] <AramZS> bvandersloot: Firefox partition by default. Chrome incog and Safari block them. The challenge is that for us partition by default is a good compat mechanism that stops us from having to intervene with sites and for that reason changing is very hard for us to ship.
	[17:19:41] <johannhof> q?
	[17:19:42] Zakim sees ErikAnderson on the speaker queue
	[17:19:47] <AramZS> John W.: how many sites get unbroken?
	[17:19:48] ErikAnderson (~ErikAnderson@6b13c2d6.publics.cloak) joined the channel
	[17:19:51] <AramZS> ack ErikAnderson
	[17:19:52] Zakim sees no one on the speaker queue
	[17:20:24] <AramZS> bvandersloot: Not really - there are deeper behaviors like carts or sign ins or other cross site behaviors means it is very hard to get even a manual estimate.
	[17:21:06] <AramZS> Is there a resolution we see to this? interop issues don't get better over time. What's the realistic option towards convergence. Either Chrome switches to partition or block.
	[17:21:21] <AramZS> Matthew: we've heard that some sites would still like to opt out of 3p cookies if possible.
	[17:21:32] <AramZS> maybe we need a followup to CHIPS that allows for opt out of 3p
	[17:22:08] bvandersloot (~bvandersloot@6b13c2d6.publics.cloak) left IRC
	[17:22:22] <AramZS> It would be on the header or for an iframe. Not the first party
	[17:23:08] <AramZS> ???: This particular party might need to be for cross origin document - they need to know that they are being loaded cross origin and what their relationship is to the origin frame and then we wouldn't need to know about it
	[17:23:29] <AramZS> or rather the embedded entity wouldn't need to worry about partitions
	[17:23:37] <AramZS> q?
	[17:23:37] Zakim sees no one on the speaker queue
	[17:23:51] <AramZS> q+ to ask about opt out of third party cookies header
	[17:23:51] Zakim sees AramZS on the speaker queue
	[17:24:16] cfredric (~cfredric@6b13c2d6.publics.cloak) joined the channel
	[17:24:30] <AramZS> John W: when dealing with same site lax by default any change to the cookie behavior will break some weird behavior and then there is a mad rush to unship changes. Don't touch that default cookie behavior
	[17:24:33] <AramZS> ack AramZS
	[17:24:33] <Zakim> AramZS, you wanted to ask about opt out of third party cookies header
	[17:24:34] Zakim sees no one on the speaker queue
	[17:24:54] <miketaylr> AramZS: are we going to talk about the proposal to block 3P cookies?
	[17:24:59] <miketaylr> johannhof: yes
	[17:25:21] <AramZS> johannhof: stalemate situation and we can't move that much. Maybe we can explore partitioning
	[17:25:27] <miketaylr> q+
	[17:25:27] Zakim sees miketaylr on the speaker queue
	[17:25:29] dwaite (~dwaite@6b13c2d6.publics.cloak) left IRC
	[17:25:47] <AramZS> bvandersloot: we can consider blocking as well. it was scary last time
	[17:25:51] bvandersloot (~bvandersloot@6b13c2d6.publics.cloak) joined the channel
	[17:26:31] <AramZS> kleber: Have you considered trying to give the people who encounter breakage a partitioned cookie option?
	[17:26:49] <AramZS> Then you could collect data about the potential benefits of a more firefoxy model
	[17:27:02] Haruki (~Haruki@6b13c2d6.publics.cloak) joined the channel
	[17:27:03] <AramZS> John W: we did add a way for regular users to tell us if stuff is broken
	[17:27:15] <AramZS> the reports are hard to parse - sometimes people are just angry about something
	[17:27:24] <AramZS> Figuring out that it is cookies is hard.
	[17:27:41] <AramZS> johannhof: the most popular sites to get reported tend to be ones that just have basic network errors.
	[17:27:41] JoelA (~JoelA@6b13c2d6.publics.cloak) joined the channel
	[17:28:16] <AramZS> John W: ex of a deep investigation - US Census site. It turned out that one of their load balancers sent a double CSP header and we still had a legacy CSP header implementation and they had slightly diff policies
	[17:29:39] <AramZS> ack miketaylr
	[17:29:39] Zakim sees no one on the speaker queue
	[17:29:50] <ErikAnderson> q+ because Johann said I need to be in it
	[17:29:50] Zakim ErikAnderson, you typed too many words without commas; I suspect you forgot to start with 'to ...'
	[17:29:53] <ErikAnderson> q+
	[17:29:53] Zakim sees ErikAnderson on the speaker queue
	[17:30:10] <AramZS> miketaylr: We tried to investigate that behavior and tried to figure out what broke and never really discovered it.
	[17:30:31] <AramZS> ErikAnderson: sites do sometimes hard code browser engine assumptions
	[17:30:36] <AramZS> ack ErikAnderson
	[17:30:36] Zakim sees no one on the speaker queue
	[17:30:54] <AramZS> John W: it sometimes solves that problem and introduces 10 others
	[17:31:10] <AramZS> johannhof: samesite lax by default how do we solve?
	[17:31:31] <AramZS> I think there was a possible way when chrome was still on the path with chrome going to samesite none by default and storageaccess headers
	[17:31:36] <AramZS> right now I don't know
	[17:31:57] <AramZS> both browsers wanted to go to lax by default at one point is there still an option?
	[17:32:12] <AramZS> John W: we did it and it was theoretically and improvement but then a bunch of stuff broke
	[17:32:24] <AramZS> We shipped and a bunch of enterprise sites broke and complained.
	[17:32:42] <AramZS> We liked the change in theory
	[17:33:05] <AramZS> Matthew: we can't detect the problem until we ship and then it hits us with a problem and it take a while to unship
	[17:33:30] <AramZS> johannhof: it sounds like it is really hard to find it in the ecosystem it is hidden to us and we can't crawl for it?
	[17:34:39] <AramZS> John W: when we made them samesite lax by default. When we go back in time the orig only had lax and strict and Chrome proposed and implemented None and when we didn't recognize the value we defaulted to strict so when servers started sending us None we did the complete opposite. Sites started to do 'if safari never set samesite to none'
	[17:34:51] <AramZS> so when we flipped to lax they refused to set to samesite none and it became lax
	[17:34:58] <AramZS> q?
	[17:34:59] Zakim sees no one on the speaker queue
	[17:35:21] <AramZS> Do you remember that google deved server side code to know if they could start setting specific samesite settings?
	[17:35:34] <miketaylr> https://bugs.webkit.org/show_bug.cgi?id=198181
	[17:35:36] <AramZS> because this was in our HTTP layer it took 3 years to get it out of our versions, totally different hting.
	[17:36:05] <AramZS> Why is chrome not willing to do samesite none by default?
	[17:36:16] <AramZS> johannhof: security boundary issue
	[17:36:39] sisidovski (~sisidovski@6b13c2d6.publics.cloak) left IRC
	[17:36:46] <AramZS> If you were in touch with the people for whom this was broken for did they fix it?
	[17:36:59] <AramZS> ErikAnderson: they sniffed it
	[17:37:24] <AramZS> John W: the one or two people who did fix it were good but we realized it must have been a pretty long tail of people with issues
	[17:37:38] karlcow (~karlcow@6c65f1b9.public.cloak) joined the channel
	[17:38:10] <AramZS> ???: I have an idea - collective depreciation is something we do? can we depreciate cookies without samesite are depreciated?
	[17:38:44] <AramZS> bvandersloot: for a collective issue like TLS it might make sense
	[17:38:56] <cfredric> s/???/annevk/
	[17:39:02] <AramZS> johannhof: would be good to make progress on this better than once a year
	[17:39:32] <AramZS> Edgar: from mozilla - +1 on hard to diagnose issues. We've also been theorizing partial cookie removal is an issue
	[17:39:39] <AramZS> how should we deal with the global cookie max
	[17:39:50] <AramZS> right now the current way in both specs is ordering by last access
	[17:39:54] <AramZS> q?
	[17:39:54] Zakim sees no one on the speaker queue
	[17:40:09] <AramZS> then we are in a state where a host is purged partially
	[17:40:13] <AramZS> q+
	[17:40:21] Zakim sees AramZS on the speaker queue
	[17:40:27] <AramZS> annevk: is anyone around who worked on this?
	[17:40:37] <AramZS> Seems like it goes back to netscape
	[17:41:04] <AramZS> mt: a lot of websites tolerate cookies disappearing piecemeal ?
	[17:41:04] <karlcow> For history https://github.com/webcompat/web-bugs/issues?q=label%3A%22type-cookie-sameSite%22
	[17:41:04] <karlcow> https://bugzilla.mozilla.org/show_bug.cgi?id=1618610
	[17:41:55] <AramZS> annevk: just sort of deletes the furthest cookies set from the present
	[17:42:06] <AramZS> ????: might be ordered by security.
	[17:42:15] <AramZS> ack AramZS
	[17:42:21] Zakim sees no one on the speaker queue
	[17:42:35] <ErikAnderson> s/????/mikewest
	[17:42:35] <miketaylr> AramZS: as a site owner, we have a whole suite around managing the fact that cookies randomly disappear
	[17:42:56] <miketaylr> AramZS: it's unpredictable and causes problems. we have 2 pieces: we try to reapply the important cookies
	[17:43:20] <miketaylr> ... and have a cookie monster that removes non-essential cookies for whatever reason. it sucks, but others probably do similar
	[17:43:23] <ErikAnderson> q+ mikewest
	[17:43:24] Zakim sees mikewest on the speaker queue
	[17:43:51] <AramZS> John W: I think maybe a major use newspaper we got reports on seemingly random logouts and it was really just too many cookies for the cookie header and it was kind of random which ones got cut off
	[17:43:59] <ErikAnderson> ack next
	[17:44:00] Zakim sees mikewest at the head of the speaker queue
	[17:44:00] Zakim sees no one on the speaker queue
	[17:44:51] <AramZS> Mikewest: Within a lot of enterprises that have multiple subdomains and set a lot of cookies chrome has found it impossible to handle priority. Sites find it very valuable to prioritize cookies to be deleted. Chrome can't remove that process
	[17:45:21] <AramZS> When sorting the list of cookies to use we delete low priority before high priority but I don't recall exactly how it is set.
	[17:45:46] <AramZS> johannhof: It would have a good interop impact if we make a change on this one
	[17:46:10] <AramZS> mikewest: Changing to delete all the cookies would be something we could do. When we changed sorting to be on secure it broke websites.
	[17:46:20] JoelA (~JoelA@6b13c2d6.publics.cloak) left IRC
	[17:46:30] <AramZS> I am reluctant to touch cookie sorting making it atomic would be safe but surprising.
	[17:47:00] <miketaylr> annevk: would you prefer atomic aram?
	[17:47:12] <miketaylr> AramZS: that doesn't seem like it would be any better
	[17:47:24] <miketaylr> ErikAnderson: you don't have the mystery of hunting for a missing cookie
	[17:47:35] <miketaylr> AramZS: maybe i'm the wrong person to ask
	[17:48:12] <AramZS> Ed: I am willing to write up a proposal
	[17:48:13] <miketaylr> AramZS: i'd be interested in seeing a proposal, unsure if helpful.
	[17:49:37] <AramZS> Microsoft/Xander: From an ad tech perspective given the amount of time this happens it would be worse if it was atomic and everything was deleted
	[17:49:53] <AramZS> mt: if you don't have priority set it would be atomic and then if you do it would go down the list.
	[17:50:31] <AramZS> If you have priorities you'd go through and do the lowest priority one until you felt you hit the save amount.
	[17:51:56] <AramZS> Isaac F: Atomic means all cookies have to go away means all cookies are set. I like the priority idea maybe that would be a fine way to do that.
	[17:52:18] <AramZS> s/Microsoft/Isaac F -
	[17:52:49] <AramZS> John W: actual atomic I don't think is possible cookies on memory and cookies on disk and you don't want to block all networking while deleting cookies.
	[17:53:05] <AramZS> mt: there's always a risk
	[17:53:29] <AramZS> johannhof: two proposals to discuss from Google
	[17:53:43] <AramZS> [slide] Origin Bound cookies
	[17:53:58] <AramZS> A really cool proposals that binds cookies to scheme and port by default
	[17:54:06] <AramZS> maps very closely to browser understood origin
	[17:54:33] <AramZS> split between insecure and secure context mapping is no longer needed it just understand default user security setting.
	[17:54:49] <AramZS> Scheme always applies there is a strong binding but you get TLD+1 binding for the domain
	[17:54:59] <AramZS> I think it is a really good proposal and would recommend someone check it out
	[17:55:04] <AramZS> mt: tested for breakage?
	[17:55:36] <AramZS> miketaylr: I've been running with these flags for month and good so far. There is also some real data we'll send with intent to ship
	[17:56:06] <AramZS> John W: Do you mean when it is bound to a secure scheme do we synthesize it or do we change behavior
	[17:56:08] <AramZS> ?
	[17:56:15] ErikAnderson (~ErikAnderson@6b13c2d6.publics.cloak) left IRC
	[17:56:18] <AramZS> What about deleting behavior?
	[17:56:44] <AramZS> johannhof: we would treat it like secure but not synthesize that setting I believe
	[17:57:01] <AramZS> the proposal is not explicitly removing it right now but that might be a followup.
	[17:57:04] <AramZS> q?
	[17:57:04] Zakim sees no one on the speaker queue
	[17:57:22] <AramZS> [slide] Third-Party Cookie Allowlist Header
	[17:57:50] bvandersloot (~bvandersloot@6b13c2d6.publics.cloak) left IRC
	[17:58:22] <AramZS> does not mean third party cookies are blocked by default by anyone - if you set none in this allowlist to disallow third party cookies access to specific children. Nothing is forced it is an expression of preference that the browser reads. For security reasons if you want to disallow a particular child the right allowlist settings might handle it
	[17:58:23] <AramZS> q+
	[17:58:23] Zakim sees AramZS on the speaker queue
	[17:58:56] <AramZS> This is a name of an explainer and that name on the header might not be great
	[17:58:58] <AramZS> q-
	[17:58:58] Zakim sees no one on the speaker queue
	[17:59:36] <AramZS> We struggle to follow up on cookies work. We have a bunch of places where we can discuss it but we should do more work to be systematic and public in meeting about this and discussing next steps.
	[17:59:52] <AramZS> John W: cookie community group?
	[17:59:59] <AramZS> Well scoped
	[18:00:09] <AramZS> johannhof: that is worth considering.
	[18:00:22] <AramZS> I am not sure there are any problems?
	[18:00:28] <AramZS> there are so many problems to solve
	[18:01:39] <AramZS> John W: might be able to get cookie only people in a dedicated CG who are not interested in the privacy stuff
	[18:01:53] niklasmerz (~niklas@6c65f1b9.public.cloak) left IRC ("Konversation terminated!")
	[18:01:54] niklas (~niklas@6c65f1b9.public.cloak) joined the channel
	[18:01:57] <AramZS> johannhof: avoiding the privacywg for this will give us broader stuff to work on potentially.
	[18:02:11] <AramZS> I will follow up on that suggestion.
	[18:02:19] wbamberg (~wbamberg@6b13c2d6.publics.cloak) left IRC
	[18:02:22] <AramZS> Thanks all!
	[18:02:22] camille (~camille@6b13c2d6.publics.cloak) left IRC
	[18:02:26] <AramZS> RSSAgent, make minutes
No results found