- From: Roy Fielding via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 18 Jul 2012 11:05:10 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory hutz:/tmp/cvs-serv4879
Modified Files:
tracking-dnt.html
Log Message:
ISSUE-124: (incomplete) revise tracking status value to N/0/1/C/X
Index: tracking-dnt.html
===================================================================
RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html,v
retrieving revision 1.126
retrieving revision 1.127
diff -u -d -r1.126 -r1.127
--- tracking-dnt.html 18 Jul 2012 08:51:40 -0000 1.126
+++ tracking-dnt.html 18 Jul 2012 11:05:07 -0000 1.127
@@ -506,7 +506,7 @@
</section>
</section>
- <section id='responding' class="option">
+ <section id='responding'>
<h2>Communicating a Tracking Status</h2>
<section id='response-overview'>
@@ -543,6 +543,86 @@
</p>
</section>
+ <section id='tracking-status-value'>
+ <h3>Tracking Status Value</h3>
+
+ <p>
+ A <dfn>tracking status value</dfn> is a short notation for
+ communicating how a designated resource conforms to this protocol.
+ For a site-wide tracking status resource, the designated resource
+ is any resource on the same origin server. For a Tk response
+ header field, the resource that sent the Tk header field in response
+ is the designated resource, and remains the designated resource
+ for any subsequent request-specific tracking status resource
+ referred to by the Tk field's status-id.
+ </p>
+ <p>
+ Each of the response mechanisms use a common format to indicate
+ the tracking status for a designated resource. This
+ <dfn>tracking status value</dfn> is a string of characters from a
+ limited set, where the meaning of each allowed character is
+ defined in the following table.
+ </p>
+ <table class="simple" width="80%" align="center">
+ <tr><th>status</th>
+ <th>meaning</th>
+ </tr>
+ <tr><td align="middle">N</td>
+ <td>None: The designated resource does not perform tracking or
+ make use of any data collected from tracking, not even for
+ permitted uses.<td>
+ </tr>
+ <tr><td align="middle">1</td>
+ <td>First party: The designated resource is designed for use
+ within a first-party context and conforms to the requirements
+ on a first party.</td>
+ </tr>
+ <tr><td align="middle">3</td>
+ <td>Third party: The designated resource is designed for use
+ within a first-party context and conforms to the requirements
+ on a third party.<td>
+ </tr>
+ <tr><td align="middle">X</td>
+ <td>Dynamic: The designated resource is designed for use in
+ both first and third party contexts and dynamically adjusts
+ tracking status accordingly.
+ If this value is present in the site-wide tracking status,
+ more information will be provided via the Tk response header
+ field.
+ If this value is present in the Tk response header field,
+ more information will be provided in the request-specific
+ tracking status resource referred to by the status-id.
+ "X" MUST NOT be present in the tracking status value of
+ a request-specific tracking status resource.<td>
+ </tr>
+ <tr><td align="middle">S</td>
+ <td>Service provider: The designated resource is operated by
+ a service provider acting on behalf of the first party
+ and conforms to the requirements for both a first party
+ and a service provider acting as a first party.<td>
+ </tr>
+ <tr><td align="middle">C</td>
+ <td>Consent: The designated resource believes it has received
+ prior explicit and informed consent for tracking this user,
+ user agent, or device, perhaps via some mechanism
+ not defined by this specification, and that prior consent
+ overrides the tracking preference expressed by this protocol.
+ When prior consent is indicated, the tracking status object
+ SHOULD include a <code><a>control</a></code> member that
+ references a resource for modifying the consent.<td>
+ </tr>
+ </table>
+ <p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/137">ISSUE-137</a>: Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s)<br />
+ <b>[OPEN]</b> There is significant disagreement over whether a
+ service provider acting on behalf of a first party needs to
+ indicate such in the tracking status. It is particularly nonsensical
+ given that there may be dozens of service providers acting on any
+ request and the service provider definition is already limited to
+ cases where any data collected is siloed and under control of
+ the first party.
+ </p>
+ </section>
+
<section id='status-resource'>
<h3>Tracking Status Resource</h3>
@@ -779,33 +859,18 @@
</section>
<section id='status-response-value'>
- <h3>Response Value</h3>
+ <h3>Qualifier Value</h3>
<p>
- When present, the tracking status response member's value
- consists of a string of characters that starts with the tracking
- status, signified by <code>t</code> (tracking), <code>n</code>
- (not tracking), or <code>s</code> (see the more specific tracking
- status resource), and MAY be followed by a set of qualifier
- characters indicating reasons or limitations applicable to
- that status. Multiple qualifiers can be provided.
+ When present, the tracking status qualifier member's value
+ consists of a string of characters indicating what permitted
+ uses for tracking are being used.
+ Multiple qualifiers can be provided.
</p>
<table class="simple" width="80%" align="center">
<tr><th>qualifier</th>
<th>meaning</th>
</tr>
- <tr><td align="middle">1</td>
- <td>First-party: The origin server acts as a first-party for
- requests on this resource, either in all contexts when no
- "3" qualifier is present or only for the domains listed in
- <a>same-party</a>.</td>
- </tr>
- <tr><td align="middle">3</td>
- <td>Third-party: The origin server acts as a third-party for
- requests on this resource, either in all contexts when no
- "1" qualifier is present or only for the domains not listed
- in <a>same-party</a>.<td>
- </tr>
<tr><td align="middle">a</td>
<td>Audit: Tracking is limited to that necessary for an
external audit of the service context and the data
@@ -815,11 +880,6 @@
<td>Ad frequency capping: Tracking is limited to frequency
capping and the data collected is minimized accordingly.<td>
</tr>
- <tr><td align="middle">p</td>
- <td>Prior consent: The origin server believes it has received
- prior explicit and informed consent for tracking this user,
- user agent, or device.<td>
- </tr>
<tr><td align="middle">f</td>
<td>Fraud prevention: Tracking is limited to that necessary
for preventing or investigating fraudulent behavior and
@@ -847,30 +907,7 @@
that each such use conforms to the associated requirements.
All limitation qualifiers imply some form of tracking might
be used and thus MUST NOT be provided with a tracking status
- that begins with <code>n</code> (not tracking).
- </p>
- <p>
- A <code>1</code> qualifier indicates that the resource has been
- designed for use within a first-party context and will conform to
- the requirements on tracking by a first-party.
- A <code>3</code> qualifier indicates that the resource has been
- designed for use within a third-party context and will conform to
- the requirements on tracking by a third-party.
- If both qualifiers are present, the resource is designed to
- dynamically adjust its tracking behavior according to the context
- in which it is used, and thus conforms to first-party requirements
- when used in a first-party context and third-party requirements
- when used in a third-party context.
- </p>
- <p>
- A <code>p</code> qualifier indicates that the origin server
- believes it has obtained prior explicit and informed consent for
- tracking the requesting user agent, perhaps via some mechanism
- not defined by this specification, and that prior consent
- overrides the tracking preference expressed by this protocol.
- When prior consent is indicated, the tracking status object
- SHOULD include a <code><a>control</a></code> member that
- references a resource for modifying this consent.
+ that begins with <code>N</code> (not tracking).
</p>
<p>
Future extensions to this protocol might define additional
@@ -886,11 +923,6 @@
might perhaps even move to that document in the sections defining the
permitted uses. The above list will be updated accordingly.
</p>
- <p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/137">ISSUE-137</a>: Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s)<br />
- <b>[PENDING REVIEW]</b> No, a third party that satisfies the
- requirements for acting as a first party will communicate to
- users as the first party.
- </p>
</section>
<section id='using-tracking-status'>
Received on Wednesday, 18 July 2012 11:05:15 UTC