W3C home > Mailing lists > Public > public-tracking-commit@w3.org > February 2013

CVS WWW/2011/tracking-protection/drafts

From: CVS User dsinger2 <cvsmail@w3.org>
Date: Tue, 12 Feb 2013 15:16:40 +0000
Message-Id: <E1U5Hb6-0004ZV-E0@gil.w3.org>
To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv17573

Modified Files:
Log Message:
updated/inserted/removed issues to maintain sync with the issue database

--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html	2013/01/30 21:10:26	1.181
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html	2013/02/12 15:16:40	1.182
@@ -421,10 +421,6 @@
       <section id='js-dom'>
         <h3>JavaScript Property to Detect Preference</h3>
-                <p class="issue" data-number="160" title="Do we need an exception-query API?"><b>[PENDING REVIEW]</b>
-            It might be useful, and 'complete the model', if we had a JS API that told a host what its current exception status is in a given context. See proposal here.<br />
-            <b>Proposal</b>: Specifically, a doNotTrack property which examines the <b>document origin</b> of the window, the current <b>top-level origin</b> and returns null if no DNT header would be sent to that document origin, or the exact DNT header (DNT:1 or DNT:0) that would be sent otherwise.
-          </p>
               This property enables a site executing code in its own origin
               to determine what DNT header would be sent to it in the current
@@ -1029,10 +1025,6 @@
 <dfn>first-party</dfn>    = %x22 "first-party" %x22
 <dfn>first-party-v</dfn>  = array-of-strings
-          <p class="issue" data-number="190" title="Sites with multiple first parties ">
-            <b>[PENDING REVIEW]</b> The <code><a>first-party</a></code>
-            member resolves this issue.
-          </p>
             An OPTIONAL member named <code><a>same-party</a></code> MAY be
             provided with an array value containing a list of domain names
@@ -1150,6 +1142,17 @@
   "control": "/your/data",
+		  <p class="issue" data-number="164" title="To what extent should the same-party attribute of tracking status resource be required?">
+		  3 Alternatives - text is needed:<br/>
+		  (A) Current draft: Resource is optional<br/>
+		  (B) Alternative proposal 1: If multiple domains on a page belong to the 
+		  same party, then this fact SHOULD be declared using the 
+		  same-party attribute<br/>
+		  (C) Alternative proposal 2: State that user agents MAY assume that 
+		  additional elements that are hosted under a different URL and occur 
+		  on a page and declare "intended for 1st party use" are malicious unless 
+		  this URL is listed in the "same-party" attribute
+		 </p>
         <section id='status-checks-not-tracked'>
@@ -1336,7 +1339,7 @@
         <p class="issue" data-number="144" title="What constraints on user agents should be imposed for user/granted exceptions">
-          <b>[OPEN]</b> but mostly addressed in the proposal here.
+          <b>[PENDING REVIEW]</b> but mostly addressed in the proposal here.
@@ -1467,7 +1470,7 @@
           <p class="issue" data-number="112" title="How are sub-domains handled for site-specific exceptions?">
-            <b>[PENDING REVIEW]</b> Should a request for a tracking exception
+            <b>[OPEN]</b> Should a request for a tracking exception
             apply to all subdomains of the first party making the request? Or
             should a first party explicitly list the subdomains that it's
             asking for? Similarly, should third-party subdomains be allowed
@@ -1589,6 +1592,28 @@
             "DNT:1E" where E means you are a first party with one or more 
             active exceptions.
+          <p class="issue" data-number="151" title="User Agent Requirement: Be able to handle an exception request">
+            <b>[OPEN]</b> There is software that in just a few lines of code 
+            just spawn DNT;1 or DNT;0 headers regardless of user's will. A 
+            requirement on the user agent that they can handle the full 
+            exception mechanism will allow to discard compliance statements by 
+            those agents. It will 
+            also allow also the site to test for conformance by requiring an 
+            exception. In case the UA does not react on an exception request, 
+            the server could ignore DNT signals from that UA. It would allow 
+            thus testing from the horizon of the site without wild guessing;<br/>
+            However, there is no practical difference between a UA that hard-wires
+            'no' to all exception requests, and a UA that does not implement the 
+            calls.
+           </p>
+           <p class="issue" data-number="187" title="What is the right approach to exception handling?">
+            <b>[PENDING REVIEW]</b><br/>OLD: Site asks user agent for exception; user 
+            agent asks user and responds (UA is responsible to ensure that 
+            exceptions reflect user preferences)<br/>
+			NEW: Site asks user for their preference and stores this in user 
+			agent. User agent may double-check that this indeed matches preference 
+			but is not obliged to do so.
+           </p>
@@ -1977,13 +2002,6 @@
           trust without visiting that site.
-        <p class="issue" data-number="140" title="Do we need site-specific exceptions, i.e., concrete list of permitted third parties for a site?">
-          <b>[PENDING REVIEW]</b> In this section; yes, as some sites may
-          have a mix of trusted/needed third parties, and others that either
-          don't need to track, or aren't as trusted, or both. But all sites
-          are (a) told what they got granted (list, or *) and (b) are assured
-          that requests will be treated 'atomically'.
-        </p>
       <section id="exceptions-no-js" class="informative">
Received on Tuesday, 12 February 2013 15:16:42 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:48:56 UTC