I spent some time reading through the Mix and Match proposal. I'm not sure I understand it.
In particular, I am confused about:
The proposal seems to focus heavily on what we do with state we receive as part of the redirect. Do we promote it, do we leave it double keyed. It doesn't seem to explain how we choose what state to _send_. For example:
For instance, in a redirect chain from foo.com -> tracker.com -> bar.com, the tracker.com cookies will be double keyed foo.com|tracker.com, while the bar.com cookies will be double keyed foo.com|bar.com. However, after the user begins to interact with bar.com, bar.com is promoted to be the First Party Domain, and Cookies set on the initial redirect need to be moved under the bar.com key.
When we send a request to foo.com, I assume we will send any current cookies we have keyed under foo.com|foo.com[0]. When we receive a redirect to tracker.com - how do we choose what state to send? We don't know head of time whether it will give us a redirect or not, so are we sending it any state we have under tracker.com|tracker.com (treating it as a first party) or are we sending it any state we have under foo.com|tracker.com?
The latter is better for privacy; but it would require you to re-sign-in via Oauth a lot (pretend tracker.com is oauth.com); and I'm nervous it would break login flows. Especially if you interact with oauth.com and that seems to promote it into oauth.com|oauth.com and then you later go through foo.com|oauth.com and there's no state there...
[0] I'm pretty sure that we use the First Party Domain as both the primary and secondary key for state under the first party; right? In any event, when I say foo.com|foo.com I mean data keyed under the foo.com first party.
I'm also a bit confused about the difference between different targets of redirects. It seems like: - If the target is example.com: we don't double-key or need to promote upon interaction - If the target is example.com?lang=en: we do double-key any state set, and upon user interaction promote the state to first party. - If the target is example.com/foo/bar.html: we do double-key any state set, and upon user interaction promote the state to first party.
Finally, in a multi-redirect scenario like a.com -> b.com -> c.com, I'm unsure if there is a difference in how we handle state we receive for b.com if: - The target is b.com - The target is b.com?lang=en - The target is b.com/foo/bar.html
I started drawing out a matrix of what happens when. I came up with the following. I don't think I understand the proposal well enough to fill it out. I'm hoping I will be able to do so though! I'm going to paste it in its entirety:
---------- Single-Redirect, Before User Interaction
Click a link for aaa.com/foo/blah.html and the response redirects to ccc.com (before any user interaction): - To aaa.com you send state keyed under aaa.com|aaa.com - To ccc.com you send state keyed under ccc.com|ccc.com - The browser deposits you at ccc.com - Any cookies or other state set by aaa.com is set normally according to FPI rules, so will be keyed under aaa.com|aaa.com - Any cookies or other state set by ccc.com is set normally according to FPI rules, so will be keyed under ccc.com|ccc.com
Click a link for aaa.com/foo/blah.html and the response redirects to ccc.com?lang=en (before any user interaction): - To aaa.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ?? - Any cookies or other state set by aaa.com is keyed under ?? - Any cookies or other state set by ccc.com is keyed under ??
Click a link for aaa.com/foo/blah.html and the response redirects to ccc.com/new-foo/blah.html (before any user interaction): - To aaa.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ?? - Any cookies or other state set by aaa.com is keyed under ?? - Any cookies or other state set by ccc.com is keyed under ??
---------- Single-Redirect, After User Interaction Perhaps you scroll the page at ccc.com or perhaps click a link or highlight some text.
Click a link for aaa.com/foo/blah.html and the response redirects to ccc.com, and then you interact: - To aaa.com you send state keyed under aaa.com|aaa.com - To ccc.com you send state keyed under ccc.com|ccc.com - The browser deposits you at ccc.com - There is no change to state for aaa.com, as it is already stored under aaa.com|aaa.com - There is no change to state for ccc.com, as it is already stored under ccc.com|ccc.com
Click a link for aaa.com/foo/blah.html and the response redirects to ccc.com?lang=en, and then you interact: - To aaa.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ?? - Any cookies or other state set by aaa.com is migrated(?) and now keyed under ?? - Any cookies or other state set by ccc.com is migrated(?) and now keyed under ??
Click a link for aaa.com/foo/blah.html and the response redirects to ccc.com/new-foo/blah.html, and then you interact: - To aaa.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ?? - Any cookies or other state set by aaa.com is migrated(?) and now keyed under ?? - Any cookies or other state set by ccc.com is migrated(?) and now keyed under ??
---------- Multi-Redirect, Before User Interaction
Click a link for aaa.com/foo/blah.html and the response redirects to bbb.com and the bbb.com response then redirects to ccc.com (before any user interaction): - To aaa.com you send state keyed under ??? - To bbb.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ccc.com - Any cookies or other state set by aaa.com is ??? - Any cookies or other state set by bbb.com is ??? - Any cookies or other state set by ccc.com is ???
Click a link for aaa.com/foo/blah.html and the response redirects to bbb.com and then bbb.com response then redirects you to ccc.com?lang=en (before any user interaction): - To aaa.com you send state keyed under ??? - To bbb.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ?? - Any cookies or other state set by aaa.com is ??? - Any cookies or other state set by bbb.com is ??? - Any cookies or other state set by ccc.com is ???
Click a link for aaa.com/foo/blah.html and the response redirects to bbb.com and then the bbb.com response redirects you to ccc.com/new-foo/blah.html (before any user interaction): - To aaa.com you send state keyed under ??? - To bbb.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ?? - Any cookies or other state set by aaa.com is ??? - Any cookies or other state set by bbb.com is ??? - Any cookies or other state set by ccc.com is ???
*** Is there any behavior change between a the middle redirect that goes to bbb.com vs bbb.com/?querystring or bbb.com/foo/bar.html ***
---------- Multi-Redirect, After User Interaction Perhaps you scroll the page at ccc.com or perhaps click a link or highlight some text.
Click a link for aaa.com/foo/blah.html and the response redirects to bbb.com and the bbb.com response then redirects to ccc.com, and then you interact: - To aaa.com you send state keyed under ??? - To bbb.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ccc.com - Any cookies or other state set by aaa.com is ??? - Any cookies or other state set by bbb.com is ??? - Any cookies or other state set by ccc.com is ???
Click a link for aaa.com/foo/blah.html and the response redirects to bbb.com and then bbb.com response then redirects you to ccc.com?lang=en, and then you interact: - To aaa.com you send state keyed under ??? - To bbb.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ?? - Any cookies or other state set by aaa.com is ??? - Any cookies or other state set by bbb.com is ??? - Any cookies or other state set by ccc.com is ???
Click a link for aaa.com/foo/blah.html and the response redirects to bbb.com and then the bbb.com response redirects you to ccc.com/new-foo/blah.html, and then you interact: - To aaa.com you send state keyed under ??? - To bbb.com you send state keyed under ??? - To ccc.com you send state keyed under ??? - The browser deposits you at ?? - Any cookies or other state set by aaa.com is ??? - Any cookies or other state set by bbb.com is ??? - Any cookies or other state set by ccc.com is ???
*** Is there any behavior change between a the middle redirect that goes to bbb.com vs bbb.com/?querystring or bbb.com/foo/bar.html ***