Not a security flaw, you just synced his browser settings with your account.
The proper way to log into another person's Chrome is by adding a new user in the "Personal Stuff" area first.
In some situations, the cookies we use to secure and authenticate your Google Account and store your preferences may be served from a different domain than the website you're visiting. This may happen, for example, if you visit websites with Google +1 buttons, or if you sign into a Google gadget on iGoogle.
Some browsers require third party cookies to use the P3P protocol to state their privacy practices. However, the P3P protocol was not designed with situations like these in mind. As a result, we've inserted a link into our cookies that directs users to a page where they can learn more about the privacy practices associated with these cookies.
Information that Google collects in association with these cookies is subject to our Privacy Policy.
The dishonesty of this statement is stunning. IE is designed to only accept the cookie if Google promises not to use it for tracking. Google wants to use the cookie for tracking so they provide a dishonesty promise and then explain they're lying because IE didn't have them in mind -- when this is exactly what IE had in mind.
99% of people leave their settings at the default and don't give a damn and just want it to work. When it doesn't work it's broken. Period, end of story. They will say: "Shut up with your geeky explanation" when you explain to them your options. There may be a really long complicated answer as to why it doesn't work but 99% of users don't gives a crap. If you are a smart guy you can just use ad block. There, done.
Microsoft is very well aware of the fact that users never change the default settings and IMHO would love to use this to break Google by default and destroy their business model. This fits in well with the usual MS tactics of spreading paranoia, incompatibility, legal threats, obfuscation and confusion.
IMHO, Microsoft would love to exploit privacy fears to remove features from the web and break it so everyone just goes back to the desktop. In my opinion, if they could get away with breaking an ajax call, because hey they might be tracking you, they would in order to kill usability of web software in favor of the desktop software model. They will try anything they possibly can to win.
Did you ever see the list of IE6 features that got canned (e.g "Smart Tags") because of the antitrust investigation? It makes me shudder what the web would be like with these jerks in control.
According to the article, Google has done it in a way that indicates (according to the P3P protocol) "that the cookie will not be used for any tracking purpose or any purpose at all."
Basically they are abusing the standard to force P3P browsers to override the user's choice to block 3rd party cookies, by telling the browser that the cookie isn't intended for tracking, but Google is using it to track users.
That's kinda of appalling privacy-wise.
Maybe it isn't maliciously intended, which is what you mean, but it is an intentional misuse of a browser feature to force user tracking.
That's why it's a brilliant piece of passive-aggressive engineering!
It undermines both the letter and intent of P3P, while ostensibly informing the user. The exact same string is a lie to the protocol, but the truth when read by a person outside of the protocol-context!
It's kind of like a file that's both a legal and harmless GIF and a malicious executable Java JAR. (Look up [GIFAR vulnerability] for more details.)
So if someone goes to Mashable and clicks a "like" button, it won't work unless they specifically allow 3rd party tracking on Mashable? And then again on the WSJ, and again on Youtube? Or is it that they need to allow Facebook tracking once and then it works on all sites that have a "like" button?
If it's the former, then I'd say P3P is horribly broken and bypassing it for "like" buttons would be the only way to make things work.
And even if it's the latter, giving a site carte blanche tracking rights seems too coarse for comfort (unless you could grant permission ONLY for "like" buttons and nothing else).
Someone instructs their browser to not accept third party cookies, full stop. Google then does something, mumbles a bit, and then sets a third party cookie.
The nefarious bit is in IE- which, although it pretends to allow you to "instruct the browser not to accept 3rd party cookies, full stop," actually accepts third party cookies from any site with a P3P code it doesn't understand.
>The nefarious bit is in IE- which, although it pretends to allow you to "instruct the browser not to accept 3rd party cookies, full stop," actually accepts third party cookies from any site with a P3P code it doesn't understand.
No, if you select that option, it actually blocks all third party cookies.
So do you work at Google or are you just a fanboy? IE is not being nefarious in this case. IE is following a standard that Google is actively abusing. Not sure why you have such an infatuation with Google, but I dare say: Everything in moderation.
Not exactly. The user setting is inaccurate, as it actually should have said "Do not allow 3rd party cookies, except for those from sites which have a code that indicates they aren't tracking cookies or a code we don't understand."
Instead it says "Third Party Cookies" with choices of Accept, Block, or Prompt.
>Not exactly. The user setting is inaccurate, as it actually should have said "Do not allow 3rd party cookies, except for those from sites which have a code that indicates they aren't tracking cookies or a code we don't understand."
That's exactly what they do.
>Instead it says "Third Party Cookies" with choices of Accept, Block, or Prompt.
No, it doesn't.
You sound as if you have researched it, but you seem to be trying to mislead folks by spreading nonsense.
Google is intentionally using the loophole. They are intentionally circumventing users’ wishes. That’s nefarious. It’s first and foremost a moral failing. That’s exactly the problem. Just because it’s possible doesn’t mean it’s right.
That the loophole exists is a separate issue that also has to be remedied – but it doesn’t make Google’s behavior any less evil.
If by "mumbles a bit" you mean not supporting an unsupported and defunct proposed "standard" that doesn't work in practice and is only implemented in IE, then yeah.
It's a W3C recommendation. Scare quotes around the word standard are unnecessary, since a vast number of current web standards came out of W3C processes.
Or is it not 'standards-compliant' when WebKit implements features that only WebKit has, even if they're from W3C standards?
It's not really much of a standard if no one references it in the real world.
And the W3C standards are most successful when they document how technology is already being used in the wild. Proscriptive web standards handed down from on high have historically not fared well. Plenty of W3C standards are duds.
Why does everyone always assume quotes are used as scare quotes? I quoted "standard" because it's not a standard. If the standards body no longer exists and no one follows the standard, it's not a standard.
"Scare quotes are quotation marks placed around a word or phrase to indicate that it does not signify its literal or conventional meaning."
"If scare quotes are enclosing a word or phrase that does not represent a quotation from another source they may simply serve to alert the reader that the word or phrase is used in an unusual, special, or non-standard way or should be understood to include caveats to the conventional meaning."
I would have thought the "proposed" and "defunct" clauses would indicate that "standard" was in name only. The term "scare quotes" indicates to the reader that the writer is intending to mislead or persuade. I don't agree that my usage constitutes what is generally accepted as scare quotes, but even if you disagree, the point still stands. IE is stomping its feet complaining that Google isn't supporting a standard that only IE supports (when even the standards body doesn't support it anymore).
Come up with a better standard, then complain when Google breaks it. Otherwise it's just another example of Google being "evil" (that's scare quotes).
After a successful Last Call, the P3P Working Group decided to publish the P3P 1.1 Specification as a Working Group Note to give P3P 1.1 a provisionally final state.
The P3P Specification Working Group took this step as there was insufficient support from current Browser implementers for the implementation of P3P 1.1. The P3P 1.1 Working Group Note contains all changes from the P3P 1.1 Last Call. The Group thinks that P3P 1.1 is now ready for implementation. It is not excluded that W3C will push P3P 1.1 until Recommendation if there is sufficient support for implementation.
This is the last update from the group that was posted in 2006. It's never been pushed by the W3C, and the browser creators never implemented it.
I have absolutely no opinion on the standard, so I'm not sure why you keep telling me extraneous shit. Read what I typed; don't get upset when people accuse you of using scare quotes when you're using scare quotes.
edit: sorry, I was wrestling with a stubborn CPU fan, and you seemed like that CPU fan. Turns out the CPU fan was not stubborn, but well-designed, and I probably wasn't communicating well.
This reply was misposted, it was supposed to be in response to someone else. I've copied and pasted it to the correct person, but cannot delete this one.
I have no idea what your edit means, but I'm going to take is as a compliment and believe we were both mistaken on each others arguments. Because I like to keep things cool, like a CPU fan.
After a successful Last Call, the P3P Working Group decided to publish the P3P 1.1 Specification as a Working Group Note to give P3P 1.1 a provisionally final state. The P3P Specification Working Group took this step as there was insufficient support from current Browser implementers for the implementation of P3P 1.1. The P3P 1.1 Working Group Note contains all changes from the P3P 1.1 Last Call. The Group thinks that P3P 1.1 is now ready for implementation. It is not excluded that W3C will push P3P 1.1 until Recommendation if there is sufficient support for implementation.
This is the last update from the group that was posted in 2006. It's never been pushed by the W3C, and the browser creators never implemented it.
That's the point.
In France it's forbidden to sell at a price lower than the production cost.
As the Google Maps service was sold at a price of ... zero, chances are it was under the cost of production.
