Jared Hanson · Jul 29, 2022 · 7:52 PM UTC

Jared Hanson

Jared Hanson @jaredhanson

29 Jul 2022

What would happen if browsers started syncing cookie jars across devices, the same way they sync passwords and #webauthn passkeys?

Sam Goto · Jul 29, 2022 · 9:02 PM UTC

Sam Goto @samuelgoto

29 Jul 2022

I'm pretty convinced there is something to be done here. Not cookies per se, has to be opt in (breaks backwards compatibility otherwise), but i agree there is something here. Interested in exploring this further with browser engineers?

Aaron Parecki · Jul 29, 2022 · 9:40 PM UTC

Aaron Parecki @aaronpk

29 Jul 2022

If you think this won't immediately be abused in ways you didn't intend, go read up on Britney's case where they had a copy of all her comms from a shadow iOS device signed in to her iCloud

Jared Hanson · Jul 29, 2022 · 10:17 PM UTC

Jared Hanson @jaredhanson

29 Jul 2022

Yes, it was a random thought and I’m sure there are consequences. What if the browser itself required FaceID to unlock the cookie jar. That would mitigate many issues, and if you squint at it is not all that different than a credential store.

Aaron Parecki · Jul 29, 2022 · 10:19 PM UTC

Aaron Parecki · Jul 29, 2022 · 10:19 PM UTC

Aaron Parecki @aaronpk

29 Jul 2022

Replying to @jaredhanson @samuelgoto

The problem is FaceID is only tied to the device so it doesn't change the situation 😔 I'm also not convinced syncing WebAuthn keys was a good idea either tho

Jul 29, 2022 · 10:19 PM UTC

tim · Jul 29, 2022 · 10:21 PM UTC

tim @timcappalli

29 Jul 2022

Replying to @aaronpk @jaredhanson @samuelgoto

Session references and account credentials are fundamentally different