Clear-Site-Data and partitioning

[annevk]

At some point the discussion at privacycg/storage-partitioning#11 will likely impact this document. It might be worth following if you're interested.

[dveditz]

Partitioning is going to affect a lot of specifications. Summarizing from that discussion, given 1st-party domain A and 3rd-party resource B:

• CSD on a 3rd-party B MUST NOT affect any B resources outside the AB partition. Doing so would leak information outside the partition. domain B might desire a global logout, but we have to treat each partition as if it's a separate logical browser so tough luck. If a browser can't clear only partitioned B it's reasonable to say browsers MAY ignore CSD (in whole or in part) in a 3rd party context (as Chrome seems to currently).

• CSD on B in a 1st party context MUST NOT affect any partitioned B resources. That too leaks across logical browsers and allows tracking.

• CSD on A in a first party context SHOULD (MUST?) also clear all 3rd-party resources in the A partition. If you don't they may never go away because CSD can't otherwise reach them, and if you never open A again it's just wasting space. If you do open A again the 3rd party resources could also be used to restore some of the pre-cleared A state.

These rules should not constrain what user agents allow users to do manually. I would argue that a user could tell a browser to "Forget about" site A and it would clear all 1st party A resources, 3rd parties partitioned under A, and also all A storage partitioned under B, C, etc. Other choices might be reasonable.

[johnwilander]

Thanks for filing this, Anne! The linked issue has all the details. It boils down to one first party site having control over website data under another first party site which can be used to construct a joint user ID across websites.

[annevk]

FWIW, I filed #68 as a result of that discussion.