Questionable assumption: First Party
Closed this issue · 2 comments
To be first party, the resource domain must match the domain of the inspected web service or other configured first-party domains.
Domains lie:
- subdomains can point to another data controller by CNAME cloaking
- can be spoofed in the middle
- can be incorrectly resolved by hosts file locally
Even resolved name does not guarantee that the next request will be processed by the same data controller. For example, due to misconfigured Round-Robin, anycast or multicast addressing.
Please specify technique of existing First Party matching and risks of inadequate conclusion/evidence. I vote for TLS-based matching, where possible.
The HTML output for the layperson includes always a glossary with a definition of terms, including of first-party:
Note here that "subdomain.domain.tld" is not the same domain as "domain.tld".
So the only assumption is that files in the parent path share the party classification of the parent path. Otherwise, it is up to the WEC operator to tell what belongs to the first party.
Documentation can certainly always be improved and I am happy to consider pull requests.
First-party matching is a common problem. IMO, first-party is any URL (not URI!) that shares TLS certificate of the inspected URL.
For example, spoofed http://domain.com may not represent https://domain.com can, cloaked https://www.domain.com may not represent https://domain.com etc.