W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: tainted uris and tracking Re: "cross-site"

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 19 Nov 2011 00:33:34 +0100
To: Karl Dubost <karld@opera.com>
Cc: <public-tracking@w3.org>
Message-ID: <4tkdc71kh8d1i32hpb26uip80tbpr2266o@hive.bjoern.hoehrmann.de>
* Karl Dubost wrote:
>On http://validator.w3.org/, when accessing.
>
>The flattr toolbox is generated by this script on W3C site
>http://www.w3.org/QA/Tools/don_prog.js
>
>This script generates another call to 
>http://api.flattr.com/js/0.6/load.js?mode=auto
>
>which itself generates markup an iframe from
>http://api.flattr.com/button/view

Yes, I was specifically referring to the fact that the parameters to
that include the validator.w3.org host name. If "flattr" was to use
its own service as a first party, they would not use that name, so by
virtue of the presence of the parameter value, they can conclude they
are not first party. Since you didn't call that out, I am not sure if
you consider the inclusion of the host name in the address to be a
case of "tainted" addresses.

>Another thing to notice. W3C would not know programmatically if the user
>is tracked or not, because it is an iframe, in case flattr would change
>its policy. The tainted URIs are not created by W3C either and the
>cookies are not in the W3C domain but flattr.com.

Yes, and if you consider putting some Valid XHTML badge on your page,
you also cannot programmatically determine if the W3C is tracking the
users of your site if you reference the image from w3.org rather than
using a local copy, unless you infer that from the P3P policy, which
is probably not a viable option as P3P does not have many features to
express data minimization techniques which may be subject to complex
rules that are difficult to capture in a machine readable format. The
Working Group seems unlikely to materially change that by January.

>It is why I try to understand how that would be working on all sides
>with a DNT:1
>
>* user
>* browser
>* 1st party (here W3C)
>* 3rd party (flattr.com)

Perhaps an example helps: "flattr" offers static and dynamic versions
of their button. The Validator uses the dynamic one that shows you a
counter value. The static version can be hosted locally, so "flattr"
would not learn of your visit to validator.w3.org unless you click on
the button. I would expect the W3C to modify the "flattr" embedding
script so it uses the static version for users sending the DNT signal,
so they cannot be tracked by "flattr". The only loss in functionality
would be that users who want to know the counter value have to click
on the button, so this is a very easy way to (partially) honour the
user's wish.

My impression though is that you seem to see a more fundamental pro-
blem with the "do not track" concept, but I could not make out where
you are coming from so far.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 18 November 2011 23:34:05 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC