W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: "cross-site"

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 16 Nov 2011 00:17:52 -0800
Cc: public-tracking@w3.org
Message-Id: <8CD84F3C-4CBC-4B14-834E-EECCA1F3B5F1@gbiv.com>
To: Mark Nottingham <mnot@mnot.net>
On Nov 14, 2011, at 3:46 PM, Mark Nottingham wrote:

> Hello,
> Congratulations on getting a WD out. 
> Regarding <http://www.w3.org/TR/2011/WD-tracking-dnt-20111114/>, the draft makes liberal use of the term "cross-site."

It is short-hand for tracking from one branded site to a differently branded site.

> I could suggest leveraging the work happening in the IETF regarding "origin" <http://tools.ietf.org/html/draft-ietf-websec-origin>, if that's the intent, or concepts in DNS, if that's the intent.

No, they have nothing to do with one another.  Origin is a trusted domain list
for running javascript.  Its scope is based on which domains are locked-down
secure (no user-provided data), not which domains share the same user branding.

One would not sensibly list a user forum inside the same Origin as a bank
application, even if they are branded as the same site.

> However, I think what you're *really* looking for is a term that's less technical and more legal / societal / organisational; something analogous to what people occasionally call "administrative domain" and which your introduction obliquely refers to using variants of the term "party." 
> I think this distinction is important, because using a (pseudo-) technical term as the basis of DNT's semantics opens it to technical circumvention. 

There is nothing in the term that impacts how the protocol is implemented.
What it impacts is the scope of compliance in terms of user expectations.

Received on Wednesday, 16 November 2011 08:18:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:42 UTC