W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: [ACTION-20] First parties signaling exceptions to third parties

From: Peter Eckersley <peter.eckersley@gmail.com>
Date: Mon, 28 Nov 2011 13:38:47 -0800
Message-ID: <CAOYJvnJqbyjUTuJfJE+1FyREiWHczTRfratwyDqwhDjVj8JyHA@mail.gmail.com>
To: Kevin Smith <kevsmith@adobe.com>
Cc: "public-tracking@w3.org" <public-tracking@w3.org>
Picking up this thread again...

On 15 November 2011 13:16, Kevin Smith <kevsmith@adobe.com> wrote:

> Peter,
> Sorry.  I missed the URI parameter somehow and read it as an additional
> header.  A URI parameter could work, although I actually think this could
> be quite complicated since many requests go through multiple services and
> multiple redirects and the request to the final service likely does not
> even resemble the original request.  The parameter would have to be passed
> on.

This makes sense to me, and I would be happy to amend the proposed language
to say that passing on the parameter is permitted.

> Cookies would actually have similar challenges, but at least then the
> communication only needs to happen once - not on every request.  Of course,
> that does expose the solution to the usual cookie disadvantages, but if the
> 1st party is storing the exception in a cookie (which is a very likely
> scenario) then those disadvantages already exist.

My guess is it will be more common for 1st parties to store the exception
in association with accounts rather than specific cookies, though clearly
the cookie-only case is possible.

> Practically speaking, I do not think we should attempt to enforce a
> particular methodology, but should allow the participants to choose the
> method that works best for them (could even be out-of-band visitor id
> syncing).  Of course, we can still suggest different methods such as these
> in the docs.

>From a web developer's point of view, using MUST in a proposal like this
has the benefit of standardization: it means that 1st and 3rd party
opt-back-in code is more likely to be compatible even when the relationship
between the 1st and 3rd party is very casual (eg, the 1st party just turned
on a plugin in their CMS, pasted some JS into a page, etc).

Of course there are different benefits in terms of transparency for users
who want to be able to see what domains regard them as having opted-back-in
to tracking.

Received on Monday, 28 November 2011 21:39:15 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:59 UTC