Introduces a mechanism by which a set of registrable domains (a "First-Party Set") can declare themselves to be the same "party" or entity, such as web properties owned by the same company, or domains with different ccTLDs used by the same website. A First-Party Set applies to all HTTPS origins with a registrable domain that is the owner or a member element of the set. This proposal is for a simplified initial prototype.

Motivation

In support of potential browser privacy models to restrict cross-party tracking, web platform features can use First-Party Sets to determine whether embedded content may or may not access its own state. First-Party Sets define a more realistic “privacy boundary” by reflecting the real-world organization of websites, which often span multiple registrable domains. Firefox's Enhanced Tracking Protection features use a list of "entities" maintained by Disconnect, so that third-party resources are not blocked if they belong to the same entity as the top-level site. Edge's tracking prevention feature includes an "Org Relationship Mitigation" that exempts third-party content from being blocked if the resource's URL belongs to the same organization as the requesting site. This proposal aims to standardize such behavior by introducing First-Party Sets as the web's privacy boundary, replacing the existing ad hoc and UA-specific behavior. Some potential uses enabled by First-Party Sets are listed below. These are not in scope for the current proposal, and are listed here only for background. Separate proposals will be shared when these are ready to be prototyped: * Cross-domain first-party cookies * Partitioned network caches * Anti-fingerprinting

Documentation

Specification

Public discussion

Status in Chromium

Privacy


Proposed (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Owners

Search tags

first party, third party, site, entity, privacy boundary,

Last updated on 2021-01-07