"If a user wants to have certain 3rd-party sites to be able to set
cookies, they can create an exception"
So you are arguing that based upon the syntax of the language in the
option ... the new behavior more accurately matches what the option
says it will do. Why is this deemed necessary? It doesn't provide
improved security to the end user... in practice it does just the
The option's language still doesn't match the resulting change in
behavior ... as it is blocking all HTML5 storage mechanisms ... not
just cookies. If the goal is to exactly match the language of the
option's description, you guys are still failing to do that.
This to me seems incredibly arbitrary ... and seems like the result of
some end user noticing that the option doesn't do *exactly* what it
says ... and the developer changing the behavior without a thought as
to why it behaved like that in the first place.
It's not as if it was an accident that 5 browsers had exactly the same
option ... and behaved in exactly the same way with regards to iFramed
cookies. It was intentional ... because POST'ed iFrames, aren't
really 3rd parties.
This doesn't benefit the end-user in reality ... and does a great deal
to limit applications that *should* have 1st-party status.
An iFrame should be considered a 1st party ... especially in the
context of something like a Facebook application. The user has
navigated to the app, they even are prompted for permission to access
their private information. It is not obvious, to the user that these
applications are third parties ...
The first issue, is that *every* other browser on the market behaves
differently. Not only do other browsers behave differently, but
Chrome behaved correctly up until 2 releases ago. There's also no
indication to the end-user of a *major* change in functionality.
If Chrome wants to have an additional feature that blocks iFrame
POST'ed cookies, that should be an additional parameter ... and the
existing one should continue to behave as it did, and as all other
browsers currently do.
The bigger issue here, is that in an attempt to provide "improved"
security ... Chrome has effectively removed the primary mechanism for
securely logging in users in iframe applications.
Any Facebook application, that utilizes cookies to authenticate a
user ... will no longer work when this setting is enabled.
As a developer of a major Facebook game, I am now faced with the
options of either passing the authentication token around in the URL
(not secure) ... or simply ignoring the 5% of users that have this
Though I'm all for suggestions on how to circumvent this, and still
retain a secure mechanism to authenticate users.
On Feb 13, 2:31 am, Jochen Eisinger <joc...@chromium.org
> (resending so it gets through to the group)
> On Mon, Feb 13, 2012 at 11:29 AM, Jochen Eisinger <joc...@chromium.org
> > Hey,
> > If a user wants to have certain 3rd-party sites to be able to set cookies,
> > they can create an exception (either to always allow them, or to allow
> > those cookies for the current session only). If they want all third-party
> > sites to be able to set cookies, they can just stick with the recommended
> > default to accept all cookies.
> > hth
> > -jochen
> >> Chromium Discussion mailing list: chromium-disc...@chromium.org