- From: Karl Dubost <karld@opera.com>
- Date: Fri, 18 Nov 2011 09:29:54 -0500
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- Cc: <public-tracking@w3.org>
Le 18 nov. 2011 à 01:51, Bjoern Hoehrmann a écrit : >> The way http://stats.example.com/blah might know about it is because of >> >> * sessionId in URIs - evil, bad architectural design >> * cookies or other local storage mechanisms >> * tainted uris with parameters and or hash signs >> * Browser fingerprinting > > If I understand you correctly, I believe the third option is used on > http://validator.w3.org/ to betray details of your visit to "flattr". On http://validator.w3.org/, when accessing. The flattr toolbox is generated by this script on W3C site http://www.w3.org/QA/Tools/don_prog.js This script generates another call to http://api.flattr.com/js/0.6/load.js?mode=auto which itself generates markup an iframe from http://api.flattr.com/button/view calling things from flattr.com and setting a sessionid cookie with no Expires, which means it lasts only the time of the session for example, PHPSESSID le0eq6055l8lnes50to1old5e2 This iframe contains a few things including the document.domain = 'flattr.com'; and indeed tainted uris such as http://api.flattr.com/button/click/e1dcb079d564823ab142b1a0f8962e04 Reloading the frame gives another tainted URIs http://api.flattr.com/button/click/89eec9a61cab8ab66eeb7a6a172f2ea6 I'm not sure what is the purpose given that the number seems to be randomly generated. I guess it asssociates the sessionid and the tainted URIs to compute the rebound rate (aka the percentage of users actually clicking it). This specific tainted URI seems to be "safe". Now it would be entirely possible to create a tainted URI constructed from the cookie itself and track the user each time is going back to the primary Web site. Another thing to notice. W3C would not know programmatically if the user is tracked or not, because it is an iframe, in case flattr would change its policy. The tainted URIs are not created by W3C either and the cookies are not in the W3C domain but flattr.com. It is why I try to understand how that would be working on all sides with a DNT:1 * user * browser * 1st party (here W3C) * 3rd party (flattr.com) I also do not have a flattr account so I do not know if flattr has a more "aggressive" behavior in case you do. The privacy policy seems to indicate that it is an opt-in for users to disclose that information. http://flattr.com/privacy -- Karl Dubost - http://dev.opera.com/ Developer Relations & Tools, Opera Software
Received on Friday, 18 November 2011 14:30:42 UTC