W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: [ISSUE-81, ACTION-13] Response Header Format

From: Matthias Schunter <mts@zurich.ibm.com>
Date: Wed, 19 Oct 2011 02:08:02 -0400
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: "Kevin Smith" <kevsmith@adobe.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <OFC1257067.003A1E53-ONC125792E.0021A386@ch.ibm.com>

Hi Team,

I see Roys point that compliancy is often all-site or nothing.

I would like to come back to my earlier question: Which are
scenarios/usecases that are important and that require an individualized
response header?


Regards,
 Matthias

-original message-
Subject: Re: [ISSUE-81, ACTION-13] Response Header Format
From: "Roy T. Fielding" <fielding@gbiv.com>
Date: 2011/10/19 02:51

On Oct 14, 2011, at 2:40 PM, Kevin Smith wrote:

> I am still not convinced a return header is necessary, but if we decide
it is, as Tom mentioned in Action 13, it is important that our spec be very
extensible for possible future modifications.  The binary approach he
suggested (1 = Respect the DNT signal, 0 = Will not respect) is certainly
easy to extend.  If other responses are needed, you can easily add
additional codes.  If we wanted to add textual explanations as Peter (I
think) suggested in Boston, or URIs to definition documents as Roy
suggested, they could easily be appended to the header.
>
> However, one thing that a 0|1 response would make it difficult to do in
the future would be to group different types of responses such as defined
reasons why a site may or may not respect the DNT header.  If we think it
is likely that additional responses will be needed now or in the future, we
may want to follow something closer to the http response codes (ie 200s =
ok, 300s = redirect, 400s = bad request etc)

Speaking as an editor of the HTTP spec, I do not want to see
yet another three-digit response code in HTTP.  They are useful
for status codes because we expect to need the space and the code
is often visible to users.  A similar three-digit code was added
for cache warnings, and that was a horrible mistake.  Any discussion
about such codes leads to confusion with the status codes.

> For example,
>
> 100 = Will not respect DNT (same as currently suggested 0)
> 101 = Will not respect because I am a 1st party
> 102 = Will not respect because you have opted in to my tracking
> 103 = Allowed to track because it’s for research (possibly)
> 104 = Allowed to track because of exemption X
> …
>
> 200 = Will Respect DNT (same as currently suggested 1)
> 201 = Even though DNT was not turned on, you have an opt-out cookie
> 202 = I never track
> …
>
> 300 = I don’t know (could be the default, and probably means the same
thing as no response)
> 301 = Don’t know because I have never set up a web server before, I don’t
know what DNT means and I will never get enough hits for anyone to care
about what I do anyway.  (OK, we probably do not need a code for this –
just checking if you are still reading)
> …
>
> Then if a browser or plugin wanted to provide a more customized
experience to the user, it could use this additional information.  I am not
saying that we should take this approach now (or ever), but if we wanted to
start with the simple binary approach, perhaps we should start with codes
100=No, 200=Yes (or something similar), so that we leave our options open
in the future.
>
> Note: this is certainly not the only way to do it.  We could also go with
a 0|1 now, and then add a delimiter with a subcode (ie – 1:2 = You have
opted back in).  I just thought this may be a good grouping mechanism that
is easy to parse and process.

My intention is to initially spec the usual HTTP extensibility mechanism

( "0" / "1" ) *[ ";" token [ "=" ( token / quoted-string ) ]]

and state in the prose that recipients need only parse the first
character of the field-value if they do not support extensions.

Also, there is no deployed practice for a response header field,
so I do not plan on reusing the DNT field-name for both -- that is
just too confusing.  If a response header field is necessary, it
can be something like

Tracking: 0

and then I don't have to spend paragraphs trying to explain
directionality of messages to the reader (i.e., what DNT means
if it is received as a client as opposed to what it means as
received by a server).  Let me know if that is a problem.

....Roy
Received on Wednesday, 19 October 2011 06:08:38 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC