Our great sponsors
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
Even the washing is so bad now, that it doesn't even matter:
- The spec we're discussing was "proposed" sometime in 2019. Here's a comment from WebKit on March 27 2020:
--- quote ---
I notice that this proposal still exists only in a random personal repo. Could it please be contributed to an appropriate standards or incubation group?
--- end quote ---
At sometime they did move it to the appropriate group
- WebHID that is now shipped in Chrome. They asked for Mozilla's position, and Mozilla couldn't even understand the proposal: https://github.com/mozilla/standards-positions/issues/459
And this keeps happening over and over and over and over again.
Their reaction when they are called out? When Mozilla and Safari flat-out refused to implement Constructible StyleSheets as they were spec'ed, Chrome still released them (because their own devs from lit-html relied on them), and said https://twitter.com/slightlylate/status/1220451799032877057
--- quote ---
We often lead, balancing risk/reward rather than demanding a particular point in an arbitrary process.
Leadership is rather the point of having an engine team, after all.
--- end quote ---
That is what they call "leadership".
(googler here, but this is my opinion)
I think there's a big abstraction gap between what we use domains for and what they were supposed to be used for, in a way that we shouldn't assume any ownership only based on the domain itself.
For instance you can have a number of sites that use separate domains but are owned by the same entity (N domains for 1 party). You could also have the same base domain being used for several unrelated parties, think hosting a store on Shopify (1 domain for N parties). This is so ambiguous that even inside the browser you have two different implementations on the way you handle this attribution, one for cookies and one for Single-Origin Policy.
There's a good write up about this problem at https://github.com/sleevi/psl-problems. Sometimes I wonder how the web got here with the amount of kludge that we have to carry.
mystore.shopify.com is definitely hosted by Shopify but it's content is a totally isolated entity. You can trust laptops.shopify.com but this trust should not automatically transfer to fakestore.shopify.com. In the same way if you have a valid account on laptops.shopify.com, the browser shouldn't allow fakestore.shopify.com to emit a request and buy something on laptops.shopify.com with your valid session on your behalf, even though they're on the base domain.
You have also the parallel problem of how do you transfer the trust you have on google.co.uk to youtube.co.jp only based on the domain info you have.
This all to say that using only domain names to resolve ownership is a hard problem, since ages browsers use a crowdsourced list [1] to get around this issue but recently it proved not to scale very well, specially after Apple's move to use this list as part of their "Limit Ad Tracking" solution.
[1] https://publicsuffix.org/