This seems like a cut-and-dry case of getting caught in monopolistic behavior. The code is right there. The Chrome codebase has special features for Google’s own web properties.
I hope all these AGs suing google have some good tech advisors. It’s hard to keep track of all the nefarious things google has been up to over the past decade.
> This seems like a cut-and-dry case of getting caught in monopolistic behavior. The code is right there.
???
Is "Darn, their browser only gets to track me on their own websites; if Google were playing fairly, they'd send the tracking header to all websites so I can be tracked more and have less privacy" the argument you're making here?
And it's debatable that this header is actually serving a tracking purpose at all. Being limited to their own web properties cements it as a diagnostic to me. What use is a tracking header that only gets sent to domains they already know you're visiting?
You realize that whenever a user visits a page that uses AdWords, AdSense, or login via Google, they download a script file from one of those domains, right?
So a user can log into Google and then log out, tying that header data to whatever PII Google has attached to them, and future visits to any sites using those and probably other services can be attached to the individual, despite them having intended to be logged out of Google services.
All I’m saying is the optics are not good. This is the kind of code you could show a jury. A high schooler who took “intro to CS” could understand what it’s doing.
It’s literally a conditional attached to a list of strings comprised solely of google advertising domains and hosts that distribute scripts from those domains.
When you’re talking about anti-trust, it doesn’t look good. Will this be a nail in the coffin? Unlikely. Will it help Google with its legal trouble? Definitely not.
Security flaw? Surely some entity is squatting youtube on some TLD?!
If there is a country TLD of X where Google owns google.X but entity Y owns youtube.X then entity Y gets the X-CLIENT-DATA header information. See usage of IsValidHostName() in code.
Note this would be a privacy flaw which is not covered by the Chrome Rewards program (which only covers security flaws) so I haven’t bothered logging it as a bug since I don’t want to waste my time verifying it for nothing!
Previous discussion: https://news.ycombinator.com/item?id=21034849