W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: "cross-site"

From: Karl Dubost <karld@opera.com>
Date: Thu, 17 Nov 2011 11:11:13 -0500
Message-Id: <7AB2737B-4A05-433E-B225-7B585C3754CD@opera.com>
Cc: "<public-tracking@w3.org> (public-tracking@w3.org)" <public-tracking@w3.org>
To: Shane Wiley <wileys@yahoo-inc.com>

Le 17 nov. 2011 à 10:22, Shane Wiley a écrit :
> This statement is an attempt to remove the concern that a 1st party, which will mostly likely not be subject to the DNT signal, does not have a backdoor opportunity to pass user data directly to a 3rd party (aka - closing a loop-hole).  3rd parties present on the 1st party's web site should honor the DNT signal directly.

hmmm… but from an HTTP request point of view everyone is 
a first party except if the client sends an HTTP referer [1], [2] 
(which is not mandatory) and can be often ignored.

/me is really trying hard to understand how it is supposed to work 
and be implementable.

So I restart:

1. User agent (client, a piece of software) send an HTTP request for 
   http://www.example.org/foo (1st party) with the HTTP header "DNT:1"

2. the server at www.example.org sends a representation (document) 
   for http://www.example.org/foo and log the request

3. the user agent parses the document and sees there are other links.
   for example a link to http://stats.example.com/blah

4. the user agent sends an HTTP request for http://stats.example.com/blah
   with the HTTP header "DNT:1"

5. the server at stats.example.com sends a representation (document) 
   for http://stats.example.com/blah and log the request

There is *no way* for stats.example.com to know that the HTTP request 
is made because of the initial request on http://www.example.org/foo
EXCEPT if the client sends a "Referer:" HTTP header.
(these are quite broken and used for spams heavily)

The way http://stats.example.com/blah might know about it is because of

* sessionId in URIs - evil, bad architectural design
* cookies or other local storage mechanisms
* tainted uris with parameters and or hash signs
* Browser fingerprinting

[1]: http://en.wikipedia.org/wiki/Referer
[2]: http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-17#section-9.7

Karl Dubost - http://dev.opera.com/
Developer Relations & Tools, Opera Software
Received on Thursday, 17 November 2011 16:11:48 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:42 UTC