Git Product home page Git Product logo

Comments (2)

cfredric avatar cfredric commented on August 24, 2024

If I understand correctly, the concern is that the current submission requirements do not sufficiently prevent a malicious actor from creating a set that contains domains that aren't actually under the malicious actor's control. Is that right?

If so, then I think the Submission Guidelines actually already require what you're suggesting - so it's not actually possible for a malicious actor to create such a set unless they gain administrative control over the domains in question. (Your suggested requirement is that each associated/service domain duplicate the same .well-known file that the primary hosts, while our guidelines only require that the associated/service domains declare how to find the primary's file, by listing the primary domain. This choice was intentional, to reduce maintenance burden on site administrators as sets evolve over time.)

The requirement for a reverse reference (to borrow your phrase) in the Submission Guidelines is here: https://github.com/GoogleChrome/first-party-sets/blob/3035f1f15aea0d34a9ff133c0959d0c0293129ed/FPS-Submission_Guidelines.md?plain=1#L141

The guidelines also contain an example of such a reference, and the schema, here: https://github.com/GoogleChrome/first-party-sets/blob/3035f1f15aea0d34a9ff133c0959d0c0293129ed/FPS-Submission_Guidelines.md?plain=1#L205-L220

The existing automated checks validate this requirement here: https://github.com/GoogleChrome/first-party-sets/blob/3035f1f15aea0d34a9ff133c0959d0c0293129ed/FpsCheck.py#L395-L409

I'm going to tentatively close this issue, but please reopen it if I've misunderstood anything.

from related-website-sets.

brownwolf1355 avatar brownwolf1355 commented on August 24, 2024

Thanks for the clarification. I realize I misunderstood the wording of the sentence you reference, "Each member domain must serve a JSON file at /.well-known/first-party-set.json. The contents of the file must name the primary domain." I also missed this in FPS checking code.

It was unclear to me what was meant by "Each member domain" and I assumed that this meant just the primary domain. It could be more explicit if it were reworded as, "Each of the associatedSites and serviceSites domain must also serve a JSON file at /.well-known/first-party-set.json. The contents of the first-party-set.json file on these domains must at a minimum name the primary domain."

I will submit a PR on the Submission Guidelines for this change.

from related-website-sets.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.