►
From YouTube: The privacy sandbox - Jozi.js June
Description
Join us online 🌍 for a discussion on the privacy sandbox. Bring your questions, comments and insights.
💛 Our Code of Conduct https://docs.google.com/document/d/1j-OfcTwYejEj-WiQq9F9AcVv2L-Ki81RuhFTjquDJyk/edit?usp=sharing
📢 Submit a talk https://goo.gl/forms/66MrplT1FogDX88Q2
A
Hey
hello,
everybody
and
welcome
to
jersey,
jazz
june.
We
hope
you're
staying
safe
and
healthy
out
there.
Things
are
things
are
getting
real
in
the
world
once
again,
so
there's
a
few
housekeeping
items
that
we
just
want
to
talk
about
quickly.
A
So
we
have
a
code
of
conduct
that
is
linked
on
our
meetup
page
as
well
as
in
the
description
below
and
if
you
are
in
the
the
comments
or
in
the
chat
while
we're
streaming
live,
please
know
that
we
require
you
to
abide
by
it
just
to
try
and
keep
as
safe
as
space
as
possible.
A
The
the
link
is
in
the
description
as
said,
and
we
just
want
to
thank
one
sponsor,
which
is
emesis
for
our
streaming
sponsorship.
So
thank
you
very
very
much.
We
couldn't
use
the
nice
toys
if
you
didn't
help
us.
We
appreciate
it.
A
If
you
haven't
attended
one
of
the
recent
jersey,
js
meetups,
you
will
find
that
this
format
is
a
little
bit
different.
It's
geared
more
towards
a
panel
discussion
with
all
of
the
organizers,
that's
primarily
because
we
like
hanging
out-
and
we
like
talking
about
tech,
stuff
and
we're
going
to
be
talking
about
some
more
tech
stuff
today
and
we're
going
to
rather
than
struggling
through
getting
people
speaking,
which
is
challenging.
We
thought
we
would.
We
would
shoot
the
breeze
so
to
speak
and
on
to
shooting
the
breeze.
A
A
So
it's
not
a
matter
of
if
anymore,
it's
a
matter
of
when
and
finding
what
is
a
coarse-grained
enough
use
case
for
us
to
be
able
to
deprecate
cookies
now
something
that
I'd
like
to
cover
before
we
we
get
to
talking
about
the
specifics
of
stuff
is
the
idea
of
privacy
and
whether
privacy
isn't
important
or
not
and
like
the
short
answer
of
it
is
yes
and
privacy
is
important
to
everyone,
because,
even
if,
if
you
don't
mind
giving
up
your
privacy,
because
you
don't
see
that
or
you
you
don't
mind,
necessarily
being
targeted
and
being
fingerprinted,
that's
fine.
A
But
it's
still
important
because
the
data
that
gets
mined
from
your
privacy
settings
is
used
to
interact
with
or
to
use
to
profile
the
people
that
you
interact
with
so
by
you,
giving
up
your
security
you're
literally
harming
the
people
around
you
in
your
social
circles
and
not
to
stretch
a
metaphor,
and
I
apologize
for
the
the
sailing
metaphor.
A
A
A
So
how
the
cookie
gets
set
is
by
something
called
a
set
dash,
cookie
header,
which
comes
from
the
server
that
is
serving
the
content,
be
it
html,
javascript,
css
images
whatever,
and
this
is
fundamentally
bound
to
http,
because
the
cookie
set
from
that
origin
will
automatically
transparently
be
returned
to
that
origin,
pushing
that
state
backwards
and
forwards,
you
can
create
cookies
via
via
javascript,
but
those
are
a
little
rarer
because
they're
far
more
locked
down,
because
the
javascript
sandbox
is
really
advanced.
A
But
in
context
of
our
discussion
today
there
are
two
broad
types
of
cookies
that
we're
going
to
talk
about.
The
one
is
first
party
cookies
and
the
other
is
third
party
cookies.
So
what
do
we
mean
by
this?
So
first
party
cookies
are
cookies,
that
you
set
from
your
own
origin
that
you
control
for
your
own
consumption,
and
this
could
be
stuff
like
your
login
session
data.
A
It
could
be
personalization
settings
of
users
that
you
want
to
propagate
in
their
browser
and
only
if
you
do
it
properly
and
you
specif
you
log
it
lock
it
down
as
secure
and
http
only
you
will
pardon
me
only.
You
will
have
access
to
it
from
your
domain
and
you
won't
have
access
to
it
from
javascript.
A
So
first
party
cookies
are
relatively
safe.
So
we're
going
to
take
that
and
put
it
in
a
box
for
the
moment
and
focus
on
the
the
critical
part
that
invades
our
privacy
and
that's
third
party
cookies.
Now
the
same
mechanism
happens
where
third-party
cookies
get
set
by
visiting
another
origin.
While
you
are
on
your
own
page,
and
this
could
be,
for
example,
a
redirect
for
external
authorization,
so
oauth
and
some
of
the
use
cases
are
like
behavioral
tracking.
So
what
kinds
of
sites
does
this
person
visit?
A
What
kinds
of
things
do
they
interact
with
advertising?
So
if
you've
got
a
a
page
that
is
using
a
cookie
from
an
advertising
provider?
When
you
go
to
another
page
that
uses
the
same
advertising
provider,
they
share
data,
so
they're
sharing
their
advertising
data
for
you,
making
it
possible
to
serve
you
customized,
potentially
unwanted,
customized
ads,
and
then
there
are
positive
use
cases
for
it
as
well.
A
big
use
case
is
something
called
conversion
tracking,
which
I
think
we're
going
to
delve
into
a
little
bit
today,
because
it's
a
case
of
you.
A
You've
got
a
campaign
running
on
this
part
of
the
internet
and
when
somebody
clicks
through
on
that
advertising
or
goes
to
your
website
as
a
direct
jump
from
one
to
the
other,
the
conversion
tracking
cookie
goes
along
and
it's
a
good
way
of
trying
to
measure
where
people
are
accessing
your
website
from.
So
it's
a
positive
use
case.
A
A
Now
the
typical
standard
of
how
the
stuff
ends
up
being
used
is
something
called
a
tracking
pixel,
where
the
the
provider
that
you
link
to
will
give
you
an
image
url
of
a
probably
a
one
by
one
transparent,
pixel
that
loads
up
in
the
page
and
that
will
then
set
cookies
and
potentially
download
additional
scripts,
because
it's
not
a
it's,
not
an
actual
pixel
and
then
we'll,
probably
phone
home
to
wherever
the
source
of
the
the
cookie
comes
from.
A
So
this.
This
is
very,
very
useful
in
a
mechanism
called
click
through
conversion,
so
that
you
can
know
where
your
traffic
is
coming
from,
and
it's
a
very
important
use
case
for
people
that
are
in
the
the
media
business,
which
is
a
big
part
of
the
internet.
A
But
there's
this
problem
with
with
sharing
and
ex
you
know,
exposing
of
behavioral
data
between
different
providers
and
typically
it's
not
just
the
tracking
pixel
alone.
You'll
find
that
there's
a
tracking
pixel
and
an
additional
api
or
query
string
parameters
that
you
can
send,
along
with
the
tracking
pixel,
that
provides
additional
user
data
so
that
you
can
segment
who's
clicking
on
your
ads
and
where
they're
going
and
that
kind
of
thing,
which
is
a
little
invasive.
A
A
I
can't
simply
pause
what
it
is,
but
it
gives
enough
data
in
an
unsecure
manner.
So
in
the
the
headers
section
to
identify
your
device,
your
device
version,
your
browser,
your
browser
version,
what
operating
system
you're
running
and
if
you
take
a
look
at
all
of
that
stuff
in
conjunction,
you
essentially
end
up
being
able
to
fingerprint
users
with
a
relatively
high
degree
of
fidelity.
A
We're
going
to
talk
about
some
of
the
mitigations
of
that
that
are
coming
down
the
wire
later.
So
this
is
just
an
overview
of
the
kinds
of
things
that
we're
talking
about.
It's
slightly
simplistic
and
I'm
sure
a
lot
of
you
are
chewing
your
fingernails
thinking
that
I
have
oversimplified
parts
of
it,
but
I
think
it
just
gives
us
a
common
framework.
A
B
Yeah
cool,
so
I
was
looking
around
at
various
third-party
cookie
alternatives
and
the
conversion
api
is
one
of
them
and
another
one
is
called
flock.
So
I
figured
it'd
be
good
to
talk
about
both
of
them.
I
think
flock
is
a
little
bit
simpler,
so
I
might
talk
about
that.
One
first,
so
basically,
flock
stands
for
federated
learning
of
cohorts
to
check,
because
it's
a
weird
thing,
not
too
memorable,
but
basically
what
it
means
is.
B
This
thing
has
been
rolled
out,
but
only
like
to
a
small
number
of
people,
so
it
might
be
running
on
your
device.
It
might
not
be.
Who
knows,
I
think
it's
just
chrome,
so,
basically,
what
it
does
is
it
keeps
track
of
all
the
different
websites
that
you
that
you
travel
to
on
your
browser
and
every
week
it'll
calculate
an
identifier,
that's
unique
to
your
browser
and
it'll
and
well
it's
not
actually
unique
to
your
browser.
It's
it's
almost
like
a
hash,
so
it's
unique
to
a
bunch
of
people's
browsers.
B
Ideally
so
like
a
couple
of
thousand
people
would
have
the
same
identifier
and
that's
your
cohorts
that
that
you're
in
and
that
cohort
will
change
over
time
week
by
week,
as
as
you
do
different
things,
and
the
idea
is
that
people
can
access
that
cohort
id
via
javascript
and
then
they
can
advertise
to
you.
According
to
your
to
your
flock
id,
which
sounds
like
a
nice
idea,
because
it's
not
super
personalized.
B
It's
like
you
are
part
of
this
group
and
we're
advertising
to
the
group,
but
there
do
seem
to
be
some
problems
with
that
because
of
that
fingerprinting
that
mike
mentioned
and
jerry
will
talk
about
a
bit
later
because
with
regular
fingerprinting
on
the
internet,
there's
like
a
like.
B
If
you
try
and
get
a
fingerprint
from
somebody,
you
have
like
a
really
camera,
a
really
big
group
of
humans
that
you
need
to
identify
like
one
person
in,
but
as
soon
as
you
have
pluck
the
the
group
gets
much
smaller
because
you
have
their
block
id.
So
it's
like.
Oh
now
I
have
a
few
thousand
people
to
choose
from
so
there
are
some
very
clever
people
working
on
this,
but
I'm
not
convinced
it's
a
good
idea,
but
there
should
be
like.
I
do
believe
that
they're
trying
to
find
a
workaround.
B
So
that's
the
one
thing
that
is
currently
in
tests.
The
other
thing
that
exists
and
is
cool
and
stuff
is
the
conversion
tracking
api,
and
this
seems
like
a
much
better
idea
to
me.
So
I
so
there's
all
sorts
of
pieces
to
it
like
quite
a
lot.
B
Basically,
it's
a
way
of,
let's
say:
you've
got
a
a
blog
and
the
blog
runs
from
adverts
and
the
adverts
are
run
by
like
an
advert
company
and
they
have
a
website
and
they're
advertising
for
a
shop
that
tells
toasters
or
something
else
you'd.
There
should
be
some
secure
way
for
the
blog
to
report
to
the
advertiser
hey.
I
sent
a
bunch
of
people
to
the
toaster
shop
and
well.
B
People
have
noticed
the
toaster
shop
thing,
they've,
clicked
on
the
toaster
shop
link,
perhaps
and
you'd
want
the
toaster
shop
to
be
able
to
say,
like
these
led
to
conversions,
I
managed
to
sell
them
toasters,
but
but
it's
with
so
currently
like
third-party
cookies
are
the
thing
and
that
sucks,
because
it's
very
very
personalized-
and
you
can
tell
like
far
too
much
about
the
person
and
privacy
matters,
so
the
conversion
api
tries
to
get
around
that.
So,
as
mentioned
there's
a
whole
lot
of
different
pieces
to
it.
B
Only
one
piece
is
sort
of
out
in
the
wild
at
the
moment,
and
that
is
to
do
with
the
tracking
of
clicks
on
anchor
tags
and
with
no
open
events.
Everything
else
was
like
still
in
a
draft
phase,
so
I'm
just
going
to
talk
about
that
one
for
a
little
bit
zoom
in
so
basically
how
it
works
is
I'll
continue
like
I
wish.
B
I
drew
a
picture
because
it
feels
like
it
needs
a
picture,
but
I'm
just
gonna
explain
through
interpretive
dots,
so
so
we're
gonna
work
with
those
same
three
entities
as
before:
there's
a
blog
there's,
a
shop
and,
lastly,
there's
the
advertiser
who's
trying
to
join
the
dots
there.
So
the
blog
gets
some
money
they
get
to
survive
and
blog
some
more
and
the
toaster
shop
gets
to
sell
some
posters.
B
So
generally,
what
would
happen
or
how
this
would
work
would
be.
The
advertiser
would
expose
an
advert
and
that
advert
would
be
put
into
the
blog,
the
blog
website
in
an
iframe
or
something
similar
and
inside
that
iframe
there'll
be
an
anchor
that
anchor
would
point
to
the
shop.
So
now
people
on
the
blog
can
click
on
the
advert
and
go
straight
to
the
shop,
which
is
great
and
that's
like
a
totally
normal
thing.
B
Click
on
the
ad
you
go
to
the
thing
you're
trying
to
buy
now,
where
the
attributes,
where
yeah
so
then
on
the
anchor
tag,
there's
a
little
bit
of
extra
information
to
do
with
the
the
session
in
play,
so
yeah
so
it'll
have
a
whole
bunch
of
different
things
like
I
had
to
write
it
down.
So
remember,
yeah,
so
it'll
say
like
where
it'll
have
an
id
associated
with
it
and
it'll
say
like
where,
where
it
needs
to
report
to
like
like
what?
What
is
the
advertiser?
B
What
is
the
stuff,
so
it
keeps
identifiers
for
all
of
that
stuff
and
as
soon
as
the
user
clicks
on
that
link,
assuming
that
all
the
stuff
is
turned
on
in
their
browser,
I'm
not
sure
if
it
is
turned
on
in
everyone's
browser
yeah.
But
when
this
thing
works
as
soon
as
I
click
on
that
link,
that
information
gets
stored
in
their
browser
and
then
they
just
go
on
to
the
onto
the
shop
and
do
shopping
things
now.
B
Let's
say
this
person
like
took
a
look
around
decided
that
they
wanted
to
check
out
some
other
posters
somewhere
else
entirely,
and
they
left
the
store
they
they
check
out
a
whole
bunch
of
other
things.
Two
days
later,
they
come
back
to
the
toaster
shop
and
they
make
purchase.
Now
they
bought
a
toaster
wonderful
on
the
toaster
like
check
out
mechanism,
there
would
probably
be
a
tracking
pixel
or
something
like
that,
and
that
would
point
back
to
the
advertiser
and
what
it
would
do
is.
B
The
advertiser
would
then
be
able
to
send
a
response
that
lets
the
browser
know
that
attribution
has
happened
like
it
recognizes
that
the
toaster
has
been
sold
and
basically,
it
can
say,
like
it'll,
be
able
to
link
a
little
bit
of
information
about
the
kind
of
sale
so
about
three
bits
of
information
about
the
kind
of
cell
which
isn't
a
whole
lot,
and
so
it's
not
enough
information
to
fingerprint
a
person
and
then
it'll
basically
say
like
what
yeah
it'll
have
a
an
event
id
associated
with
it
that
it
knows
about
from
the
original
blog
anchor.
B
So
that
way
the
dots
get
joined,
but
the
yeah
so
so
yeah
so
actually
yeah.
So
the
response
goes
to.
Let
me
start
again
with
the
checkout,
so
the
person
gets
to
the
checkout.
They
make
a
request
for
the
tracking
pixel
to
the
pixel,
and
the
pixel
responds
with
the
response
that
that
has
a
bunch
of
information
in
it.
That
is
then
also
stored
in
the
browser.
So
it
doesn't
go
straight
back
to
to
the
to
the
advertiser
immediately.
It's
just
like
hangs
out
in
the
browser
for
a
while.
B
How
long,
I'm
not
sure
exactly
but
sometimes
so.
The
idea
is
that,
by
waiting
before
sending
information
to
the
advertiser,
you
can
obfuscate
the
data
a
little
bit.
So
they
know
a
toaster
was
sold.
They
know
it
was
because
of
an
advert,
but
they
don't
know
who
did
it
like
who
bought
it
and
and
that
sort
of
thing.
So
that's
it
in
a
nutshell,
but
I
think
it
does
maybe
need
a
picture.
B
A
A
So
the
fact
that
it's
complicated
is
probably
on
purpose
so
that
it
uses,
or
it
fits
a
whole
bunch
of
use
cases,
and
I
can
completely
imagine
that-
maybe
not
maybe
not
this
year,
but
maybe
soon
we'll
have
javascript
apis
that
completely
abstract
that
or
server-side
apis
that
completely
abstract
the
complexity
of
it.
Like
I
mean,
as
anybody
who
has
implemented
oauth
from
scratch
by
themselves,
knows
it's
a
pain,
but
it's
trivially
easy.
If
you
use
a
library
or
provider.
C
So,
just
listening
to
what
sheena
and
what
you
were
saying
now
mike
about
how
it's
extensible
and
everything,
so
when
you,
when
you
were
explaining
cookies,
the
way
you
made
them
sound
is
pretty
scary
like
if
you
don't
know
enough
about
privacy
and
whatever
it
makes
it
sound
like
am
I
worried
these
people
are
tracking
me.
I
should
be
paranoid,
but,
let's
think
about
where
cookies
came
from
right.
Cookies
came
from
a
place
where
they
were
both
for
a
purpose
they
weren't
broke
for
this
purpose.
C
They
were
both
for
a
different
purpose
and
the
reason
we
needed
them
is
because
we
needed
things
like
logins
and
all
of
those
nice
things
on
the
web.
So
we
could
make
the
internet
better
make
the
internet
work,
but
all
of
these
things
that
we're
doing
now
to
stop
cookies,
won't
those
things
eventually
become
cookies.
C
A
But
if
we
take
a
look
at
the
the
larger
picture,
you
know
because
the
same
concerns
used
to
be
had
for
javascript
in
the
javascript
sandbox
and
those
have
largely
been
shut
down
so
much
so
that
we've
got
other
languages
and
runtimes
and
things
that
are
are
wanting
to
use
the
javascript
sandbox
even
completely
outside
of
context.
You
know
using
it
on
the
server,
and
I
think
that
I
think
that's
why
standardization
is
important
and
that
going
slow
is
important.
A
So
we
can
identify
those
use
cases
because
there
are
a
whole
bunch
of
apis
that
were
added
to
the
browser
as
capabilities
that
are
not
necessarily
completely
for
purpose.
They're
really
really
hard
to
use.
So
there's
a
there's,
a
tacit
tension
between
those
two
and
I
think,
as
we
chase
capability
on
the
web,
and
try
and
have
browsers,
be
able
to
do
more
and
more
and
more
cooler
things
which
we
need
to
right
to
survive
as
an
ecosystem.
We're
going
to,
like
you
say,
increase
that
footprint
so
you're
right,
but
I
don't
think
you.
C
C
D
So
I'm
thinking
about
this-
I
don't
know
if
you
can
hear
me,
probably
because
I
lost
my
headsets,
but
the
idea
of
having
to
the
original
idea
of
cookies
and
it
having
to
be
able
to
extend
the
web
and
all
of
that
and,
as
mike
says,
like
there
was
like
a
sanity
standardization.
D
What
I'm
hoping
and
thinking
that
we're
trying
to
do
and
move
to
right
now
is
that
yes,
there's
the
right
or
standardized
level
of
collecting
information
so
that
we
can
still
achieve
the
goals
that
we
want
to
achieve
right
now
without
having
to
add
extra
information
that
in
after
it
evolved
you
started
being
used,
I
would
say,
for
malicious
means,
or
are
things
that
users
did
not
sign
up
for
so
maybe
yes
in
the
future,
they
become
cookies
themselves.
D
But
the
idea
is
that
they're,
not
they
have
there's
a
standard
behind
it.
There's
accepted
content
inside
of
it
that
everyone
who
signs
up
for
it
is
comfortable
with
the
amount
of
information
it's
collecting
about
them
and
what
kind
of
information
is
being
used
in
in
in
those
then
or
then
cookies
type
situation.
It's
not
not
having
an
alternative,
but
having
an
alternative
that
not
only
the
people
who
use
it,
understand
it
and
also
have
access
to
know
what
kind
of
information
is
collected
about
them.
Type
situation.
C
Yeah
because
it
it
kind
of
almost
brings
it
back,
I
think,
to
what
we
talked
about
last
month
with
the
being
able
to
understand
versus
being
using
the
thing
right,
because
all
of
us
ever
since
gdpr
started
in
the
in
europe
and
now
puppy
here,
every
website
has
one
of
those
except
cookie
banners,
but
most
people
that
aren't
necessarily
us
who
know
about
these
kinds
of
things
would
just
click
accept,
because
they
really
want
to
read
that
news,
24
article
or
whatever
it
is
yeah
make
the
box
go
away.
Just.
A
So
yeah
on
that
point,
it's
interesting.
I
have
done
so
much
gdpr
training
over
the
last
two
years.
I
could
probably
give
gdpr
training,
but
but
what's
interesting
about
that
example,
is
that
a
lot
of
people
just
have
a
badness
saying,
accept
all
cookies
and
all
cookies
are
essential,
which
is
not
true
right.
A
So
unless
you
can
granularly
toggle,
which
cookies
are
for
which
purpose
and
let
the
user
choose
and
easily
go
back
like
there's,
there's
no
compliance
there
right,
you're
not
actually
doing
anything,
but
the
users
don't
necessarily
know
the
distinction,
because
it
is
a
relatively
techy
thing
to
look
for.
If
there's
anybody
out
there,
if
you
go
to
a
page
that
you
don't
necessarily
fully
trust
and
you
don't
see
an
option
to
manage
cookies,
assume
that
they're
doing
something
wrong
and
the
other
the
other
element
of
trust.
A
That's
there
is
that
when
you
see
a
pop-up,
that's
got
gdpr
stuff
on
it.
It
doesn't
mean
that
they're
respecting
that
gdpr
post
right
they
may
have-
they
probably
have
already
contacted
facebook
and
google
analytics
and
set
cookies
across
those
platforms
like
it's.
It's
super
super
super
common.
So
we're
stuck
in
this
this
between
this
rock
and
a
hard
place
that
even
superficially
complying
with
legislature
doesn't
mean
that
you're,
technically
complying
and
users,
don't
necessarily
know
the
difference.
I
don't
necessarily
always
know
the
difference.
It's
not
easy
to
find.
B
So
I've
got
a
question
that
I
haven't
been
able
to
find
a
clear
answer
too.
So,
third
party
cookies,
I
think
we
can
all
agree.
Those
are
crap
and
they
should
go
away,
but
first
party
cookies
do
sometimes
have
really
useful
use
cases.
So
one
example
from
my
life
is:
there's
this
web
framework
in
python,
nasty
python
named
django
and
and
it's
it
does
some
pretty
normal
things
it.
B
It
generates
website
web
pages
on
the
server
and
then
send
them
out
to
the
client,
and
there
is
no
javascript
involved
and
so
like.
The
way
it
keeps
track
of
sessions
is
with
a
cookie
and
you
can
set
it
to
be
http
only
and
like
same
origin
and
all
of
that
stuff.
B
But
it's
like
if
those
go
away
and
now
we
need
to
use
something
else
and
get
access
to
local
storage
on
well
like
secure
storage
on
the
browser,
then
suddenly
we
need
to
have
a
javascript
component
associated
with
our
like
django
pages,
that
we're
arranging
on
the
server
which,
which
seems
yeah.
It
seems
like
it's
gonna,
probably
damage
a
lot
of
people.
B
E
Ptsd
of
mine,
from
back
in
the
web
form
days
where
viewstate
was
stored
and
passed
around
in
a
in
a
cookie
as
well,
and
that
that's
pretty
terrible
and
I'm
sure
there
are
like
based
on
my
experience
at
corporates.
There
are
still
a
ton
of
websites
out
there
that
are
fundamentally
relying
on
that
underlying
cooking
mechanism.
E
B
B
Yeah
yeah,
but
I
mean
if,
if
we
well,
if
we,
if
the
interwebs
were
to
roll
back
and
just
say
like
okay,
no
first
party
cookies,
unless
they
are
http
only
then
how
could
that
be
abused?
Can
it
be
abused.
E
A
A
Okay,
so
so
an
important
thing
to
remember
is
that
and
and
ryan
correct
me.
If
I'm
wrong
here,
I
think
I'm
right,
but
just
double
check
me:
the
the
ssl
transport
or
the
tls
lever
transport
for
an
http
response.
The
body
of
that
response
is
encrypted
reversibly,
but
the
headers
are
public.
Information
and
cookies
are
in
the
header.
So.
A
So
like
okay,
if,
if
you
think
about
it,
when
you
make
a
request
and
you're
sending
your
seemingly
innocuous
cookie,
even
though
you're
using
https
every
piece
of
networking
infrastructure
between
you
and
your
server
can
see
what
your
cookie
data
says.
A
Again
so
the
idea
being
that
there
are
apis
that
are
coming
and
the
meta
frameworks
like
django
will
use
those
apis
appropriately.
Now
there
might
not
be
http
driven
only
apis,
but
what
you'll
probably
find
is
in
the
future.
Django
will
or
let's
not
talk
about
django.
Specifically,
let's
just
talk
about
web
frameworks.
A
There
are
and
it's
beyond
the
scope
of
what
we
plan
to
discuss,
but
there
are
different
ways
of
securing
a
user
in
session
data
for
first
party
reasons
that
are
not
reliant
on
cookies,
right
we've
got
and
rudy,
I
think
like.
If
I
can
hand
over
to
you,
you
know,
we've
got
alternatives
in
terms
of
where
you
can
put
session
data
in
the
browser
already.
D
So
I
will
talk
on
a
high
level
about
what
I
know
right
now,
because
outside
of
like
session
storage,
where
we
could
add
information
that
would
be
one
of
the
places.
What
I've
also
seen
is
like
there's
certain
information
that
we
pass
in
through
the
caching
process,
so
certain
information
can
use
caching
to
be
able
to
store
information
and
kind
of
propagate
that
moving
forward.
This
would
be
also
data
that
we
normally
are
already
familiar
with,
and
information
that
we
can
already
have
access
to.
D
So
it's
relatively
not
evasive
or
like
it's
not
too
intrusive
for
the
user,
but
use
cases
that
we
can
currently
use
right
now
to
ensure
that
we
have
some
form
of
support
to
know
which
user
we
are
referring
to
and
whether
or
not
yeah
things
that
they
get
to
do
in
our
web
application.
Basically,
but
yeah
sheena.
Do
you
have
anything
to
add
to
this.
C
E
As
storage,
I
haven't,
you
know,
being
mostly
focused
with
node
and
the
back
end.
I
haven't
really
had
a
chance
to
play
around
with
it
that
much
on
the
front
end.
But
I've
heard
some
interesting
things
about
it's.
If
I'm
not
mistaken,
it's
it's
more
of
a
document,
db,
type
storage
or
key
value
type
storage,
rather
than
like
a
sequel
database
running
in
your
local.
E
A
Yeah,
so
cash
storage-
I
don't
think-
would
necessarily
be
the
appropriate
place
to
store
this.
I
think
session,
storage
or
local
storage
are
probably
good
ones.
Yeah
and
again,
there
are
other
apis
coming
so
with
web
or
thin.
So
the
ability
to
to
log
in
people
without
needing
to
pass
passwords
around
and
use
biometric
data
that
gets
stored
on
the
device
securely
and
I
think
that's
the
end
game.
A
It's
relatively
available
people
can
play
around
with
it
now,
but
I
haven't
seen
anybody
really
using
it
in
the
wild
I'd
love
to
find
out
if
anybody
is
using
it
and
I
think,
as
a
part
of
the
privacy,
sandbox
they've
also
they're,
calling
it
web
id
at
the
moment
and
if
you
can
think
of
it
like
a
federated
meta,
oauth
right
where
you've
got
your
identity
and
then
you
can
almost
attribute
logins
to
it.
A
So
that
means
that
you're
treating
the
browser
as
the
thing
that
controls
it
rather
than
cookies,
so
you're
you're,
almost
at
arm's
length
like
you,
don't
have
access
to
that
stuff
anymore.
The
browser
has
access
to
that
stuff
and
I
think
that's
that
that's
interesting.
It
might
be
a
thing,
but
I
haven't
done
any
research
about
that.
One
particularly.
C
So
one
interesting
thing
on
these,
which
I
guess
is
not
really
an
alternative
to
cookies,
but
streaming
out
this
tool
that
we're
using
they
don't
have
a
username
password
login.
C
So
they
made
something
easier
and
that's
that's
pretty
much
the
what
the
reasoning
behind
the
whole
thing
is.
I
thought
that
was
it's
quite
an
interesting
concept.
I
mean
very
different
to
pretty
much
anywhere
else.
You
go
these
days,
so
it's
an
another
alternative,
although
I
guess
they
probably
do
still
some
sort
of
cookie,
because
I
haven't
been
logged
out
since
I
logged
in
the
first.
A
D
I
think
we've
touched
on
a
little
bit
about
this,
but
what
I've
seen
through
my
investigation
that
I've
done
is
that
there's
different
people-
yes,
google
is
probably
the
big
name
that
is
getting
involved
in
getting
everyone
involved
right
now
to
talk
and
interrogate
their
purchase
and
cookies
and
trying
to
find
alternatives.
D
But
it
almost
seems
like
it's
such
a
difficult
problem
to
solve
and-
and
I
think
we
spoken
about
it
earlier
so
if
this
is
a
repetition-
sorry
about
that,
but
like
what.
Why
does
it
seem
like
it's
such
a
a
difficult
thing
to
solve?
What
is
it
about
cookies,
and
even
though
we
have
a
fair
understanding
of
what
we're
trying
to
do
with
it,
but
then
the
the
the
companies
that
be
here
and
like
different
type
of
people
find
this
a
very
hard
problem
to
solve.
C
B
Of
people
try
to
like
there's,
there's
big
bucks
in
taking
away
people's
privacy.
C
E
C
C
C
Something
we
spoke
about
a
couple
weeks
ago
when
we
were
all
chatting
is
that
it's
not
actually
that
fun
of
a
problem
to
solve.
You
know
it's
not
the
most
interesting
work
in
the
world.
E
Yeah,
I
think
also
some
frameworks
abstract
away
from
what's
actually
happening
under
the
hood,
and
then
you
end
up,
maybe
not
following
best
practice,
not
out
of
a
sense
of
choice,
but
because
it
was
the
easiest
default
to
actually
implement,
and
it's
like
you
know,
for
example,
a
big
fan
of
feathers.js.
E
It's
a
layer
that
runs
on
top
of
express
and
they
explicitly
store
their
jwts
by
default,
either
in
local
storage
or
session
storage
and
they've
got
all
sorts
of
reasoning
and
justification
in
their
docs.
For
how
to
do
that.
But
you
know
from
what
I
understand
is
one
of
the
most
secure
ways
to
actually
store
your
jwt
is
with
the
http
only
cookie,
so
that
third
party
javascript
libraries
can't
hijack
that
jwt,
even
if
it
is
only
a
short-lived
one,
and
so
I
was
like.
E
Let
me
see
if
I
can
go
ahead
and
change
this,
and
I
think
I
spent
about
an
hour
on
it
and
I
was
like
okay.
The
return
on
investment
for
this
is
just
not
worth
it
for
the
side
project,
so
I'm
just
gonna,
let
it
be
and
yeah
you
know
if
I
was
working
on
a
client
project.
On
the
other
hand,
you
know
it
would,
it
would
be
a
serious
amount
of
work
to
actually
find.
B
It's
also
the
option
of
having
both
a
secure,
cookie,
an
http
cookie
and
a
jwt
in
storage,
and
then
have
them
be
different
and
that
way
like
you
can't
steal
them
both
with
the
same
mechanism.
So
there's
a
bit
of
overlap.
A
A
A
Correct
yeah
and
there's
no
there's
nothing,
there's
no
cure
for
that
level
of
malice
or
ignorance,
unfortunately
yeah.
So
so
it's
interesting
about
first
party
alternatives.
I
don't
think
I
don't
think
it's
the
biggest
deal
at
the
moment
and
those
are
probably
the
last
the
cookies
that
are
going
to
be
shut
down.
A
But
again
it
is
a
thing.
Perhaps
if
we
could,
if
we
could
segue
a
little
bit
and
talk
about
things
that
are
easy
to
see,
but
are
dangerous
and
malicious.
Potentially
is
the
idea
of
user
fingerprinting
using
the
user
agent
string,
which
I
think
jerry's
got
some
more
details
on.
C
Yeah,
okay,
so
the
user
agent
string,
so
we
we
all
as
developers
heard
of
the
use
agent
string,
is
one
of
the
request.
Headers
gets
sent
with
every
request.
There's
it's
sent
by
default.
There's
no
way
to
stop
it
from
being
sent.
It's
sent
to
every
website.
Every
request
that
you've
ever
sent
most
people
would
probably
know
it
based
on
having
used
it
to
exclude
certain
browsers
from
their
functionality.
C
There
are
alternatives
to
doing
this
and
don't
use
the
user
agent
string,
but
there's
actually
so
much
more
than
just
what
your
browser
is
in
that
string.
So
is
your
browser,
the
version
of
your
browser,
the
platform
you're
running
or
operating
system,
you're
running
the
version
of
your
the
platform,
you're
running
the
device
that
you
have,
the
exact
version
of
the
device
that
you
have
and
a
bit
more.
So
all
of
that
thing
is
in
this
one
string,
and
it
was
also
like
cookies,
initially
developed
to
make
the
internet
better.
C
It
was
actually
developed
for
security
reasons,
but
over
time,
they've
started
using
user
agent
strings
to
track
people
and
just
from
a
user
agent
string.
Those
I
was
reading
a
blog
about.
This
was
very
interesting
thing
that
the
person
mentioned
on
the
blog.
They
said
that,
just
from
their
user
agent
string,
they
tried
to
fingerprint
themselves
and
found
that
their
device,
the
one
they
were,
writing
this
blog
post
on
was
unique
in
1.7
million
other
devices
just
from
the
user
agent
stream.
C
C
C
So
one
of
the
parts-
that's
really
scary
about
it-
is
that
a
lot
of
people
who
are
very
privacy
conscious,
disable
third-party
cookies
on
their
browsers,
so
so
that
people
contract
them
they,
oh,
they
use
more
secure
browsers
or
they
use
vpns.
So
people
can't
see
their
ip
address.
C
So
so
they
use
this
information
to
just
build
up
a
general
profile
of
who
you
are
right.
They
can't
actually
build
as
much
information
as
a
tracking
cookie.
Can
they
don't
know
who
you
are
exactly
but
based
on
the
information
they
get?
They
can
put
you
in
an
age
group
because
they
know
what
types
of
people
have
that
device
and
use
that
browser
they
could
figure
out.
C
Where
in
the
world
roundabout
you
live,
you
know
they
could
figure
out
whether
you're
male
or
female,
whether
you,
what
kind
of
work
you
do
even
potentially
based
on
your
device
type
or
at
least
group
you
into
sections
and
then
once
you're
in
a
group,
that's
small
enough.
They
can
target
ads
at
you.
C
There
are
alternatives
to
user
agent
strings
too
they're
still
very
new.
It's
only.
I
think
it's
only
available
in
chrome
at
the
moment,
but
it's
not
under
flag
anymore.
It
is
available.
So
it's
called
the
user
user
agent.
Client
string
and
all
it
sends
is
it's
also
a
header
and
you
send
it
all
it
will
send
to
the
server
is
a
browser
name.
C
So
just
your
browser
name
not
version.
Nothing
else,
and
then,
if
you
want
anything
else,
you
have
to
request
it
and
if
you
request
it,
you
have
to
do
it
one
one
item
at
a
time.
So
if
you
want
platform,
you
say
platform
and
it
will
give
back
android
or
whatever
you
know,
then,
if
you
want
version,
you
have
to
request
it,
so
you
have
to
keep
sending
requests,
which
would
obviously
like
decrease
your
performance.
If
you
still
want
to
track
people
but
yeah.
C
So
that's
something
that
is
available
in
chrome,
on
chromium
actually.
So,
therefore,
in
edge
and
most
other
browsers
that
come
from
chromium.
C
A
Yeah
because
it
might,
you
might
be
communicating
between
two
trusted
parties
right,
two
people
who
who
are
both
completely
trustworthy,
but
you
might
be
rooting
through
network
infrastructure
that
is
maybe
not
so
trustworthy
and
there's
no
control
over
that
and
these
agent
stream
can
be
spotted.
So
I
think
it's
I
think
it's
a
good
point,
but
to
wrap
up
for
the
last
15
minutes
or
so.
A
You
know
like
microsoft
and
google
are
both
in
the
ads
business
and,
as
is
facebook
and
the
likes,
so
they've
got
this
active
interest
in
in
these
standards
being
propagated
out.
A
But
even
then,
like
browser
support
is
always
a
thorny
problem,
and
I
think
the
fundamental
premise
of
the
thorny
problem
is
that
big
upfront
design
sucks
it
fails
consistently
and
the
the
standardization
process
by
its
very
definition,
is,
is
big
up
front
they're
trying
to
move
away
from
it
but,
like
I
think,
I
think,
the
long
arm
of
the
w3c
it
moves
really
slowly,
although
yeah
it
would
be
the
w3c,
because
this
is
http,
not
html.
So
it's
not
the
what
working
group
and
the
it's
an
interesting
one
of
differing
approaches.
A
There
are
some
browser
manufacturers
like
firefox
that
want
the
standardization
to
be
done
before
building
anything
because
otherwise
there's
no
standard,
and
then
there
is
chrome
and
safari
which
do
things
very
differently.
So
chrome
is
very
eager
to
push
out
these
features
behind
origin
trials,
so
you
can
sign
up
for
an
origin
trial
for
your
domain
and
then
if
people
are
using
chrome,
these
features
will
be
available
to
you.
A
A
So
so
yeah
we've
got
this
tested
tension
between
different
methodologies
in
terms
of
how
software
gets
delivered
yeah
discuss.
When
can
we
use
this
stuff.
C
Well,
one
of
the
things
I
found
quite
quite
cool
when,
when
looking
into
this
stuff,
actually
quite
interesting
with
what
you
were
talking
about,
the
origin.
Cars
is
even
though
edges
the
blue,
chrome,
they're,
they're,
based
on
chromium
right,
so
so
they're,
but
what's
really
cool
about
it,
is
that
the
two
teams
to
google
and
microsoft
are
working
on
different
parts,
solving
different
problems
and
then
contributing
contributing
both
contributing
back
to
chromium.
C
So
so
it's
not
like
you
know
they
have
to
solve
the
same
problem
multiple
times,
which
is
kind
of
nice,
because
because
then
there's
at
least
people
approaching
it
from
different
angles.
So
there's
different
opinions-
and
I
know,
like
I
mean
I'm
sure,
there's
people
who've
worked
on
bro,
both
at
google
and
microsoft
on
the
same
thing,
but
but
at
least
there's
like
different
opinions
for
it,
which
is
which
is
good
because
it
would.
It
should
drive
at
least
that
part
of
it
forward.
A
That's
that's
why
standardization
will
always
should
always
trail
open
source
because
open
source
is
independently
viewable
and
auditable,
and
you
can
scale
beyond
what
you're
prepared
to
put
in,
and
I
think
that's
one
of
the
big
reasons
why
microsoft
went
to
chromium
so
that
you
know
we're
all
working
on
this
together
and
you've
got
two
major
corporations
that
are
that
are
both
checking
one
another
out
so
to
speak
and
making
sure
that
everything
is
above
board.
A
But
then,
in
the
positive
use
case,
they're
both
working
on
different
features,
so
you've
doubled
the
the
landscape
of
users
that
you
can
access
or
sorry
at
developers
that
you
can
access,
which
is
which
is
wonderful.
C
A
Yeah,
so
so
therein
lies,
therein
lies
the
the
other
issue.
Is
that
so
there
are
origin
trials
and
testing
of
this
feature,
so
it
can
inform
design
right,
but
if
people
start
relying
on
the
the
design-
and
they
then
discover
something,
it's
a
long
road
to
plug
that
hole,
you
know,
even
if
you
can
see
the
bag
and
it's
a
trivial
fix.
A
But
interesting
food
thought
I
think,
there's
this
tacit
tension
between
standardization
and
open
source
that
we
we
have
to
acknowledge.
E
Yeah,
I
think
you
know
now,
with
edge
moving
also
on
to
chromium.
We've
got
firefox
and
safari
as
the
only
other
competitors.
Otherwise
you
know
it's.
It
there's
pros
and
cons
for
having
a
single
standard
versus
competing,
and
I
think
we
go
through
these
waves
where
everybody
ever
like
I
mean
mike.
You
lived
through
the
javascript
explosion
where
there
was
a
new
framework
every
week
to
do.
E
You
know
whatever
and
now
we've
kind
of
got
three
that
we've
settled
on
it's
you
know
react
view
and
angular
and
that'll
be
stable
for
a
little
bit
and
then
people
will
be
like
nah.
This
is
rubbish.
We
got
to
do
something
else
and
it'll
like
happen
again,
and
so
it's
interesting
to
live
through
these
phases.
As
you
get
more
experienced
as
a
developer.
A
You
know
that
was
that
was
2015
so
six
years
ago,
and
if
you
look
at
the,
if
you
look
at
the
graph
of
years
of
experience
versus
numbers,
it's
very
heavily
skewed
to
three
to
five.
So
the
vast
majority
of
people
who
are
seniors
have
never
had
to
work
in
the
old
world.
That
makes
sense,
so
you
just
made
me
feel
again:
that's
all
you're.
A
Thanks,
I'm
glad
I
was
trying
to
because
you're
hiding
the
grey
hair,
that's
underneath
the
beanie.
So
there's.
A
E
A
Nice
all
right,
so
I
think,
does
anybody
else
have
any
questions
or
comments.
I
don't
see
any
questions
from
the
stream,
so
I
think
we
can.
We
can
wrap
up.
I
think
it's
an
interesting
space.
I
think
google
has
probably
been
the
most
vocal
recently
that
this
is.
This
is
legit
a
thing
that
they're
going
to
do,
but
turning
of
cookies
violates
the
number
one
rule
jerry.
What
is
the
number
one
rule.
C
I'm
sorry,
that's
speaking
of
the
number
one
rule,
it's
it's.
It's
again
talks
to
what
you
were
just
saying
like
like:
where
they
can
we
can.
We
can
both.
We
can
both
these
new
things
we
can,
but,
but
we
can't
bug
fix
because
we
can't
break
the
web.
It's
it's
quite
crazy,
like
it's.
It's
very,
very
difficult.
A
I
have
a
question:
we've
got
a
question
from
the
chat.
It's
hey
thanks
for
joining
us,
so
this
is
a
very,
very
good
question
right,
because
anybody
that's
tried
to
visit
a
news,
article
site
right
that
has
put
up
a
big,
stinking
cookie
banner
in
front
of
you
and
said
that,
basically,
unless
you
accept
all
of
our
cookies,
you
can't
use
the
content
which
they're
within
their
rights
to
do,
but
that's
by
definition,
gatekeeping.
A
C
E
A
C
I
think
I
think
that
that
also
speaks
to
the
like.
We
would
close
the
the
window
and
not
accept
the
cookies.
If
they
do
that
right,
because
we
understand
what's
happening,
but
again,
there
isn't
there's
people
who
don't
know
and
they'll
just
click
accept
because
they
really
want
to
read
that
article
or
that's
the
recipe
they
found
for
whatever
they're
making
banana
bread.
I
don't
know
what
is
the
new
trend.
A
D
D
Off
and
I
wanted
to
put
us
in
a
situation
where
we
were
solving
for
this
kind
of
problem
right,
but
in
the
promises
of
the
future.
Ideally,
people
also
do
the
things
and
sign
up
for
things
that
they
don't
understand
for
convenience,
so
that
the
web
and
everything
can
think
for
them
so
that
they
can
just
click
a
button
and
proceed
right
so
and
the
idea
is
that
we
are
moving
to
a
world
where
we
want
something.
D
D
What
is
it
that
you
would
do
as
the
the
panel
speakers
right
now
to
cater
for
situations
like
that
without
invading
a
user's
privacy.
B
So,
do
you
mean
people
picking
the
I
accept
t's
and
c's
box
without
reading
things
or
something
I
mean
that
or
like
the
automated
like
the
shop
knows
that
you
don't
have
milk
in
your
fridge.
D
I
want
the
automated.
I
want
milk
in
my
fridge
approach,
but
without
you
invading
my
my
my
data
or
you
know
doing
something
with
malicious.
D
Well
without
me,
my
banking
details
and
things
like
that
because,
like
the
idea,
is
that
these
things
are
put
in
place,
they
have
to
collect
information
to
make
it
possible
for
applications
and
websites
to
do
these
things.
So
if
you
are
subscribed
to
words,
you
want
to
give
it
information
so
that
it
can
deliver
the
milk
for
you.
But
how
can
we
do
that?
If
we
don't
collect
information
about
a
user.
A
Unmute
first
interesting
point
and
I
think
that
these
apis
are
supposed
to
surface
that
sort
of,
or
at
least
try
and
engage
with
surfacing
with
very
specific,
targeted
and
user-centric
ways
of
capturing
data,
so
putting
it
in
the
user
space
letting
them
make
an
informed
decision
about
what
they're
doing
and
then
saying
you
know
what
I'm
actually,
okay,
with
willy's
delivering
woolies
water
to
me
once
a
week.
C
C
A
Yeah
absolutely
so.
I've
got
a
very
simple,
pragmatic
answer
to
this.
You
can
use
a
third
party
service,
that's
going
to
basically
shoehorn
in
some
privacy
into
your
web
application,
or
you
can
not
set
the
third
party
tracking
cookies,
which
is
entirely
possible
like
if
you're
talking
about
google,
adsense
or
google
tag
manager
or
hell,
even
even
facebook.
A
There
are
ways
for
you
to
load
up
the
entire
page,
don't
let
any
cookies
be
set
and
then
have
those
cookies
set
as
a
deliberate
action.
You
know,
unfortunately,
so
the
pattern
of
the
big
stinking
pop-up
saying
add
all
cookies
is,
unfortunately
the
best
practice.
For
the
moment
there
are
the
services
that
I
was
talking
about.
They
are
consent
federation
services,
because
they
can
fingerprint
you
right.
They
know
exactly
who
you
are
so
when
you
go
around
the
internet
and
you've
already
accepted
tracking
on
one
of
the
ad
publishers.
A
That
will
follow
you
around
and
you
will
always
be
tracked,
maybe
not
always,
but
but
which
makes
it
difficult
right.
So
accepting
those
t's
and
c's
has
a
long-reaching
arm
that
I
don't
think
many
people
are
aware
of
like
in
some
ways.
A
People
are
more
prepared
to
accept
that
your
phone
is
busy
spying
on
you
and
reporting
that
data
back
to
google
or
facebook
or
whatever
the
case
may
be
when
the
reality
is,
unfortunately,
a
lot
less
sci-fi
and
a
lot
less
entertaining,
and
that's
that
you're
choosing
to
give
the
stuff
away
at
every
yeah.
A
Okay,
awesome
so
rewind
to
the
part
where
I
say.
Thank
you
all.
It
was
awesome
hanging
out
next
month's
josie
js
we're
gonna
do
something
a
little
bit
different
and
we're
going
to
talk
about
architectural
patterns
that
you
need
to
know
which
is
going
to
be.