W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: "cross-site"

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 18 Nov 2011 07:51:38 +0100
To: Karl Dubost <karld@opera.com>
Cc: <public-tracking@w3.org>
Message-ID: <4rrbc7pqkeg58pbc1vrd0tng5rms8071t4@hive.bjoern.hoehrmann.de>
* Karl Dubost wrote:
>There is *no way* for stats.example.com to know that the HTTP request 
>is made because of the initial request on http://www.example.org/foo
>EXCEPT if the client sends a "Referer:" HTTP header.
>(these are quite broken and used for spams heavily)

If you want to be DNT compliant, then you should separate the services
you yourself use as first party and the services you offer to third
parties; that way you can tell by looking at what the requests are for
and ignore where they are from, other than monitoring for hot linking
and things like that. If you don't want to do that, your other options
are treating first party DNT users the same as third party DNT users,
or simply don't claim DNT compliance.

>The way http://stats.example.com/blah might know about it is because of
>
>* sessionId in URIs - evil, bad architectural design
>* cookies or other local storage mechanisms
>* tainted uris with parameters and or hash signs
>* Browser fingerprinting

If I understand you correctly, I believe the third option is used on
http://validator.w3.org/ to betray details of your visit to "flattr".
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 18 November 2011 06:52:10 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC