psl-problems | first-party-sets | |
---|---|---|
4 | 3 | |
102 | 255 | |
- | 4.7% | |
0.0 | 5.2 | |
over 4 years ago | 2 days ago | |
Bikeshed | ||
- | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
psl-problems
-
See this page fetch itself, byte by byte, over TLS
Ryan Sleevi has written about this before on Hacker News and here's his list https://github.com/sleevi/psl-problems
It's definitely possible that Ryan would consider using this for HN a reasonable choice, because it's mostly cosmetic, but in general you should just not add more dependencies.
- Public Suffix List Problems
-
Public Suffix List
Before you begin to make use of the PSL, consider some of its problems: https://github.com/sleevi/psl-problems
FWIW, the link above successfully convinced me and a coworker not to use the PSL.
-
W3C slaps down Google's proposal to treat multiple domains as same origin
(googler here, but this is my opinion)
I think there's a big abstraction gap between what we use domains for and what they were supposed to be used for, in a way that we shouldn't assume any ownership only based on the domain itself.
For instance you can have a number of sites that use separate domains but are owned by the same entity (N domains for 1 party). You could also have the same base domain being used for several unrelated parties, think hosting a store on Shopify (1 domain for N parties). This is so ambiguous that even inside the browser you have two different implementations on the way you handle this attribution, one for cookies and one for Single-Origin Policy.
There's a good write up about this problem at https://github.com/sleevi/psl-problems. Sometimes I wonder how the web got here with the amount of kludge that we have to carry.
first-party-sets
-
New in Chrome 113
https://github.com/WICG/first-party-sets#non-goals has:
Non-goals: ... Information exchange between unrelated sites for ad targeting or conversion measurement.
To get something onto the list (https://github.com/GoogleChrome/first-party-sets/blob/main/f..., currently empty) you need to make a public PR with rationale (https://github.com/GoogleChrome/first-party-sets/blob/main/F...). It doesn't look to me like DoubleClick would qualify?
- Public Suffix List Problems
-
A new way for Google to kill your SaaS startup
How would you propose handling this with DNS? Here are some things it covers:
* a.example.com and b.example.com are the same site
* a.co.uk and b.co.uk are not the same site
* a.cloudfront.net and b.cloudfront.net are not the same site
* a.higashikawa.hokkaido.jp and b.higashikawa.hokkaido.jp are not the same site
* a.example.higashikawa.hokkaido.jp and b.example.higashikawa.hokkaido.jp are the same site
There is a proposal to do something similar using .well-known urls: https://github.com/privacycg/first-party-sets
What are some alternatives?
list - The Public Suffix List
fenced-frame - Proposal for a strong boundary between a page and its embedded content
standards-positions
related-website-sets
chromium - The official GitHub mirror of the Chromium source
sansio-tld-parser - A top level domain parser with no builtin io.
issues - WiX Toolset Issues Tracker
subtls - A proof-of-concept TypeScript TLS 1.3 client