What do we talk about when we talk about First Party Sets?

[AramZS]

The First Party Sets proposal continues to evolve and at the point has become pretty different from the initial proposal, especially with the idea of some sort of independent entity checking and potentially invalidating self-attested sets.

I'm curious where the participants in this group land in terms of approval of the current state of the proposal as well as if those that have supported it in the past continue to support its current state.

To be clearly upfront with my purposes here: I'm not sure First Party Sets continues to make sense. Chrome team clearly intends it to be a way to have lower security walls for cross-site communication, but all the other browsers have made clear they do not intend to use it that way. Some of their use cases seem to be centered around easier to accomplish URL decoration or login, but I am admittedly vague on this.

As a result, I'm wondering if participants in this group would continue to see a use in FPS that does not reliably drop cross-site security to some degree?

It might be helpful if @martinthomson or @johnwilander were able to speak in more detail to what the other uses they see in FPS are, either here in text, by linking to existing statements, or by sending a rep to talk to this idea in the upcoming meeting.

[martinthomson]

I'm not sure that I can answer that question either. WICG/first-party-sets#62 was my attempt to try to unravel this and I cannot say that that was successful. The answers I got there were too abstract for me.

My intuition is that John is talking about using information of this shape as input to various heuristics. For instance, we have heuristics that determine whether using the storage access API results in an automatic answer or a user prompt. Perhaps you could imagine more automated grants in the short term for sites in a set; or, in the future, more automated denials for those who are not.

[AramZS]

Thanks @martinthomson for this input. Do you think that this use case is best supported by FPS or there might be an alternative approach?

Also, I forgot to put this on the top of the issue, but I was hoping @kdeqc might be willing to further document the use case she discussed on the Privacy CG call here or on our next call?

[martinthomson]

I hadn't reached any particular conclusion on that myself, and I don't know if our team has either. I'm not sure that I really know what the long-term vision is for storage access; it's very easy to see it as a stop-gap, in which case the ad hoc collection of policies we have today might be preferable to taking on a grand project in the vein of FPS. That remains the case for me even though I'm acutely aware that the ad hoc approach is terrible in a great many ways, both for users and websites.

[wseltzer]

Discussed 1 March, https://www.w3.org/2022/03/01-web-adv-minutes.html#t04