Jared Hanson · Jul 29, 2022 · 7:52 PM UTC

Jared Hanson

Jared Hanson @jaredhanson

29 Jul 2022

What would happen if browsers started syncing cookie jars across devices, the same way they sync passwords and #webauthn passkeys?

Sam Goto · Jul 29, 2022 · 9:02 PM UTC

Sam Goto @samuelgoto

29 Jul 2022

I'm pretty convinced there is something to be done here. Not cookies per se, has to be opt in (breaks backwards compatibility otherwise), but i agree there is something here. Interested in exploring this further with browser engineers?

Aaron Parecki · Jul 29, 2022 · 9:40 PM UTC

Aaron Parecki · Jul 29, 2022 · 9:40 PM UTC

Aaron Parecki @aaronpk

29 Jul 2022

Replying to @samuelgoto @jaredhanson

If you think this won't immediately be abused in ways you didn't intend, go read up on Britney's case where they had a copy of all her comms from a shadow iOS device signed in to her iCloud

Jul 29, 2022 · 9:40 PM UTC

Jared Hanson · Jul 29, 2022 · 10:17 PM UTC

Jared Hanson @jaredhanson

29 Jul 2022

Replying to @aaronpk @samuelgoto

Yes, it was a random thought and I’m sure there are consequences. What if the browser itself required FaceID to unlock the cookie jar. That would mitigate many issues, and if you squint at it is not all that different than a credential store.

Aaron Parecki · Jul 29, 2022 · 10:19 PM UTC

Aaron Parecki @aaronpk

29 Jul 2022

The problem is FaceID is only tied to the device so it doesn't change the situation 😔 I'm also not convinced syncing WebAuthn keys was a good idea either tho

more replies