Introduces a mechanism by which a set of registrable domains (a "First-Party Set") can declare themselves to be the same "party" or entity, such as web properties owned by the same company, or domains with different ccTLDs used by the same website. A First-Party Set applies to all HTTPS origins with a registrable domain that is the owner or a member element of the set. This proposal is for a simplified initial prototype.
Motivation
In support of potential browser privacy models to restrict cross-party tracking, web platform features can use First-Party Sets to determine whether embedded content may or may not access its own state. First-Party Sets define a more realistic “privacy boundary” by reflecting the real-world organization of websites, which often span multiple registrable domains. Firefox's Enhanced Tracking Protection features use a list of "entities" maintained by Disconnect, so that third-party resources are not blocked if they belong to the same entity as the top-level site. Edge's tracking prevention feature includes an "Org Relationship Mitigation" that exempts third-party content from being blocked if the resource's URL belongs to the same organization as the requesting site. This proposal aims to standardize such behavior by introducing First-Party Sets as the web's privacy boundary, replacing the existing ad hoc and UA-specific behavior. Some potential uses enabled by First-Party Sets are listed below. These are not in scope for the current proposal, and are listed here only for background. Separate proposals will be shared when these are ready to be prototyped: * Cross-domain first-party cookies * Partitioned network caches * Anti-fingerprinting
Documentation
Specification
Unknown standards status - check spec link for status
Status in Chromium
Origin trial
(tracking bug)
Consensus & Standardization
Owners
Intent to Prototype url
Intent to Prototype threadSearch tags
first party, third party, site, entity, privacy boundary,Last updated on 2021-09-17