Re: [tracking-syntax] DOM Interface NavigatorDoNotTrack from Sid Stamm on 2011-11-29 (public-tracking@w3.org from November 2011)

From: Sid Stamm <sid@mozilla.com>
Date: Tue, 29 Nov 2011 10:43:23 -0800
To: Karl Dubost <karld@opera.com>
CC: "(public-tracking@w3.org) (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <4ED527CB.1080104@mozilla.com>

Hi Karl,

We're shipping navigator.doNotTrack, but currently consider the feature
experimental (it possibly could be removed in the future, or its values
might change if our working group decides on a different standard).

Sidenote: For the purpose of this message, consider first-party and
third-party as the technical scheme/host/port (e.g., https://foo.com:80)
definitions, not those we're discussing in issues.  :)

As we discussed in the santa clara F2F, things with the DOM flag
(navigator.doNotTrack) get a little hairy if there's a browser-based
mechanism to enable/disable the header on a per-domain basis.  As I'm
sure you're aware, there's a mismatch between "origin" of an HTTP
request header and "origin" of the runtime of a script.  A script from a
third-party host will be transmitted in the origin of their serving
host, but run in the origin (or context) of the first party web site.

Since a third-party script host may see two messages, one in DOM and one
in an HTTP header, the third-party script somewhat belongs to both
origins, or maybe a third that is the combination of the other two --
it's not clear.  Great care must be taken to ensure that the DOM object
reflects the same intent as any HTTP header transmitted to the script
server.

This potential technical conflict makes me think that Firefox can only
have one (navigator.doNotTrack) or the other (browser-based whitelist),
so if we ship a whitelist mechanism, we'll likely have to remove the DOM
flag.

-Sid

On 11/24/11 10:57 AM, Karl Dubost wrote:
> About http://www.w3.org/TR/2011/WD-tracking-dnt-20111114/
> Tracking Preference Expression (DNT)
> W3C Working Draft 14 November 2011
> 
> 
> 
> Currently the proposed Interface is
> http://www.w3.org/TR/2011/WD-tracking-dnt-20111114/#js-dom
> 
>     WebIDL
>     [NoInterfaceObject]
>     interface NavigatorDoNotTrack {
> 
>         readonly attribute DOMString doNotTrack;
>     };
> 
> How is it stable?
> 
> 
> # Current implementations
> 
> Opera
> We are in the process of figuring if we will implement it or not. 
> 
> Mozilla interface is slightly different 
> https://developer.mozilla.org/en/DOM/navigator.doNotTrack
> * There is a discussion about the HTTP header being another source of finger printing.
>   https://bugzilla.mozilla.org/show_bug.cgi?id=630357
> 
> 
> IE supports document.navigator.doNotTrack
> http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/#dnt-uas
> 
> Safari, Chrome
> Webkit had no record of it in its bugtracker.
> I created it https://bugs.webkit.org/show_bug.cgi?id=73088
> 
>

Received on Tuesday, 29 November 2011 18:45:38 UTC