⭐ Alex ⭐
Well-known member
I'm going to be frank, I've always thought this cookie notice rush was a pile of hot water.
As far as I have always understood, most breaking of user trust happens when you host third party scripts, advertisements, etc on your site which fingerprint the user and call home (to a third party such as an ad network) with what they learned about them and their visit.
Cookie notices do nothing about that, browser addons like UBlock do. These scripts don't even need cookies to track you because they can do browser fingerprinting.
Now let me get to the main point.
I recently learned about
So now, if we have say a youtube video iframe embed in our forum. It loaded with no referrer. It can't by any means determine where it's loaded on. And it decides to set cookies on its own domain, why on earth does GDPR care? It feels like GDPR is some group of people that don't understand the technical nature of the web, and have been misled by the experts that informed it. Because once again, the attack vector is not in the cookies. It is in fact in passing identifiable information into iframe via the src URL property or showing referrer when making the request.
Because of same origin policy, the iframe is no different than the person visiting youtube directly so any cookies it sets to its own domain is no one's business and no concern. GDPR really puts the wrong thing behind bars.
Any personal thoughts about this? Does anyone agree with my views, or find them incorrect?
As far as I have always understood, most breaking of user trust happens when you host third party scripts, advertisements, etc on your site which fingerprint the user and call home (to a third party such as an ad network) with what they learned about them and their visit.
Cookie notices do nothing about that, browser addons like UBlock do. These scripts don't even need cookies to track you because they can do browser fingerprinting.
Now let me get to the main point.
I recently learned about
<meta name="referrer" content="no-referrer" /> (I really should have known this way sooner). This really solves a lot of potential of third party tracking when the script payloads don't have the facilities to call home. Like a useful script reference on your website can no longer be abused to track what websites someone is visiting by the script host looking at the referer in the http request.So now, if we have say a youtube video iframe embed in our forum. It loaded with no referrer. It can't by any means determine where it's loaded on. And it decides to set cookies on its own domain, why on earth does GDPR care? It feels like GDPR is some group of people that don't understand the technical nature of the web, and have been misled by the experts that informed it. Because once again, the attack vector is not in the cookies. It is in fact in passing identifiable information into iframe via the src URL property or showing referrer when making the request.
Because of same origin policy, the iframe is no different than the person visiting youtube directly so any cookies it sets to its own domain is no one's business and no concern. GDPR really puts the wrong thing behind bars.
Any personal thoughts about this? Does anyone agree with my views, or find them incorrect?
