You visit a.example. It talks to a central server and says "I saw a user with id...

lxchase · on June 1, 2021

Ah, indeed. Appreciate that example. I guess my frame of mind comes from knowing what the large agency conglomerates are working around by using Unified ID or some other identity graph from pieces of data like hashed emails etc. Of course this means that the advertiser themselves are permitting such use.

easrng · on June 2, 2021

user visits a.example

a.example doesn't have the user's identifier yet so it redirects to identifier.example

identifier.example sets a new ID as a cookie and redirects back with the ID

This happens so fast the user doesn't notice and location.replace doesn't generate history entries so there's no record of it happening

a.example saves the ID in its storage

Now the user goes to b.example

b.example doesn't have the ID so it redirects to identifier.example

identifier.example sees the ID in the cookie set when a.example redirected through and redirects back with the ID

b.example now has the same ID as a.example

That's all 1st party cookies

jefftk · on June 2, 2021

That worked in the early days of ITP, but it doesn't work anymore in any browser that blocks third-party cookies.

easrng · on June 2, 2021

It still works, I made a PoC and tested it and it works on Chromium, FireFox and MobileSafari. https://xsid-demo.glitch.me/

jefftk · on June 2, 2021

You're right, sorry, that does work! I definitely thought it didn't...

This seems worth raising with browsers as a bug, since this should be easily detectable as an attempt to work around cross-site tracking restrictions?

warkdarrior · on June 1, 2021

OAuth2 or OIDC

jefftk · on June 1, 2021

I mean, yes, if you explicitly tell two websites who you are then they can agree on who you are. But that's very rare, no? What fraction of sites are you logging into?