undefined | Better HN

0 pointsworksonmine3y ago0 comments

Tomato tomato. A httpsonly cookie (as a tracking cookie should be) is just as visible as localstorage. So sure, technically correct not a cookie but does the name matter when the result is identical.

"Hey, I got an idea how we get rid of those pesky cookie banners, let's drop the cookies, no.. wait.. hear me out. We store the id... in localstorage! Brilliant!" POW Confetti.

It's cookies.

0 comments

9 comments · 2 top-level

robertlagrant3y ago· 5 in thread

It's not cookies. It can't be used to track you across sites the way that a cookie can, as all the embedding site needs to do is ping the site the cookie is for, and it's done. How do multiple sites access the same localStorage?

panopticon3y ago

> How do multiple sites access the same localStorage?

With an iframe. Although Safari already has protections in place against this scenario: https://webkit.org/tracking-prevention/#partitioned-third-pa...

schemescape3y ago

I support this behavior, but I wish it allowed users to opt-out per domain or something. The current behavior breaks localStorage on HTML5 games on itch.io (for iPad users, mostly) and there’s no real workaround (other than asking users to disable the setting entirely—something I don’t want them to do). It’s not even possible to detect this case and warn users, so they just think the games are broken…

weird-eye-issue3y ago

Cookies can't really track you across sites reliably these days either. And in just the next couple years it will be almost entirely disabled by default in all major browsers

worksonmineOP3y ago

Is that really how httpOnly cookies work though? That and cross-origin is supposed to solve that, but I might not be aware of the work-around you're referring to. Did a search that turned up nothing, do you have a source?

I can't try myself right now. But last time I checked it's not at all that easy. What am I missing?

weird-eye-issue3y ago

Well, no, but you wouldn't set httpOnly if you wanted to do that

ihucos3y ago· 2 in thread

Hello worksonmine,

please see on my upper response a more technical elaboration on how it works. It is not the same as cookies.

Cheers

worksonmineOP3y ago

It's not really a more technical explanation. I get how localstorage and cookies are different. But it's a technicality the user doesn't care about. The problem is third party cookies.

Self-hosted solutions where only the site I visit tracks me is not a problem even for me as a privacy extremist. But calling it "no cookies" and putting the id in localstorage is misleading or misunderstanding the problem people have with cookies in the first place.

Don't get me wrong I like the effort and was looking for something similar before just implementing my own solution with regular nginx logs. But this is a space where trust is important.

ihucos3y ago

counter.dev does not use any id at all for tracking.

1 more reply

j / k navigate · click thread line to collapse

0 comments

9 comments · 2 top-level

robertlagrant3y ago· 5 in thread

panopticon3y ago

> How do multiple sites access the same localStorage?

With an iframe. Although Safari already has protections in place against this scenario: https://webkit.org/tracking-prevention/#partitioned-third-pa...

schemescape3y ago

weird-eye-issue3y ago

Cookies can't really track you across sites reliably these days either. And in just the next couple years it will be almost entirely disabled by default in all major browsers

worksonmineOP3y ago

I can't try myself right now. But last time I checked it's not at all that easy. What am I missing?

weird-eye-issue3y ago

Well, no, but you wouldn't set httpOnly if you wanted to do that

ihucos3y ago· 2 in thread

Hello worksonmine,

please see on my upper response a more technical elaboration on how it works. It is not the same as cookies.

Cheers

worksonmineOP3y ago

It's not really a more technical explanation. I get how localstorage and cookies are different. But it's a technicality the user doesn't care about. The problem is third party cookies.

Don't get me wrong I like the effort and was looking for something similar before just implementing my own solution with regular nginx logs. But this is a space where trust is important.

ihucos3y ago

counter.dev does not use any id at all for tracking.

1 more reply

j / k navigate · click thread line to collapse