- From: Peter Eckersley <peter.eckersley@gmail.com>
- Date: Wed, 9 Nov 2011 10:20:03 -0800
- To: Tracking Protection Working Group WG <public-tracking@w3.org>
- Message-ID: <CAOYJvn+7Qz_5iKMj0A523PWhb-jDYqjiCUoXXAYhUcN_BWN+dA@mail.gmail.com>
Some possible language to consider: First parties sometimes have active exceptions to DNT. For instance, a user on the New York Times site may have logged in and knowingly opted back in to being tracked by third parties while reading the New York Times site. In such a case, the first party needs a way to signal to the third parties that, for these particular requests, an exception is overriding the DNT: 1 header that the user's browser is sending. If a first party wishes to signal to a third party that there is an active exception to DNT, the first party MUST indicate this with a request parameter "dnt-override=" with a non-null value (eg, "dnt-override=1", "dnt-override=user logged in", "dnt-override=retain for 1 week", etc). This parameter may be set as a URI query parameter, a URI fragment parameter, or an HTTP POST parameter. A webserver receiving a request with the "dnt-override=" parameter with a value of "1" MAY disregard a DNT: 1 header that it simultaneously receives from the client. However if it does so, it MUST send the Tracking: 1 response header to the client. First parties and third parties MAY agree to additional semantics for values of the dnt-override parameter other than 1 or null. If a third party receives a value for "dnt-override" where such an agreement and implementation is not in place, it MUST send Tracking: 0 to the client, and ignore the dnt-override parameter. -- Peter
Received on Wednesday, 9 November 2011 18:20:39 UTC