On 1 July 2018 at 15:41, Nir Soffer <nsoffer@redhat.com> wrote:
After watching Sarah Bird's great talk about the terrifying web[1], I found that for
some reason 3rd party cookies were enabled in my browser.

After disabling them, I found that gerrit is using 3rd party cookies from gravatar.com.
(see attached screenshot).

Why do we allow 3rd parties like gravatar to set cookies?

We don't "allow" 3rd parties. For a 3rd party to be able to set cookies on your site you need have some elements on your page that make the browser pull content from them. In the case of Gravatar what we have are <img> tags with "src" attributes that contain URLs that point to Gravatar and contain one-way hashes of user email addresses. Those URLs resolve to the users avatars if they registered their emails with Gravatar.

This is just how Gravater works - its very simple and reliable, to have it work differently would require complex and fragile server-side code on our side and would probably be prone to more security issues then the current system.

The only 3rd-party we engage currently is Gravatar, I've no reason to believe the engage in any sort of tracking. The maintainers of Gravatar are also the maintainers of Wordpress, one of the bigger open-source poster-child projects, which is all about people hosting their own stuff rather then catering to the requirements of proprietary gate-keepers like Facebook and GitHub (Now Microsoft...)...

Bottom line, I've strong reason to belive this is false alarm.

Can we use gravatar without setting cookies?

This looks like a simple session cookie, try to log out of your acocunt on Gravatar and see if it vanishes...

Devel mailing list -- devel@ovirt.org
To unsubscribe send an email to devel-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/H5RSJINV7WKJMWGF7NJ5SJZJJDP7MJZS/

Barak Korren
RHV DevOps team , RHCE, RHCi
Red Hat EMEA
redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted