Re: first party resource from Roy T. Fielding on 2012-04-18 (public-tracking@w3.org from April 2012)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 18 Apr 2012 09:51:35 -0700
To: ifette@google.com
Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
Message-Id: <91441379-1648-4DB9-BB18-70F04ECA69AF@gbiv.com>

On Apr 18, 2012, at 8:44 AM, Ian Fette (イアンフェッティ) wrote:

> This would add an extra 1xRTT to pageload, and block ALL subresources, no?

This alone?  No.  This is primarily just a way to define the scope of a
first party such that our requirements make sense.  A user agent that
*needs* this info can get it.  If they don't need it, they would not get it.

E.g., if the user agent *wants* to send different header to the claimed
first-party sites (as opposed to just the primary request vs subrequests),
then it would need this information to do so; if it just wishes to send
a different value on subrequests, then it does not need the info.
A user agent that is coloring request elements based on the distinction
could check the info either pre or concurrent with rendering.

....Roy

> My understanding of your proposal is that I would have to fetch /, wait for the response which indicates where I find its DNT info (or perhaps it's at a well-known location?) and then only after I get this array of "here's how big I am" can I issue subsequent requests, as I need to know if I'm interacting with a 1st or 3rd party to send the correct header in the request?
> 
> On Tue, Apr 10, 2012 at 2:00 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> I am unsatisfied by all of the first-party definitions because I don't consider
> them to be implementable (e.g., neither "can infer with high probability that the
> user knowingly and intentionally" nor "the party that owns the Web site or has
> control over the Web site" can be determined programmatically).
> 
> I suggest that we simply state:
> 
>  1) A first-party resource is a resource that has been designed for direct
>     interaction with a user.
> 
>  2) When a user interacts with a given first-party resource, all subrequests
>     made to that first-party's domain or to any of the domains listed in the
>     same-party array within the first-party's tracking status resource are
>     also considered first-party resources; all other subrequests are considered
>     third-party resources.
> 
>  3) The same-party array MUST be limited to domains that are owned or controlled
>     by the same legal entity that owns or controls the first-party as well as
>     domains that qualify as third parties acting on behalf of this first party.
> 
>  4) The same-party array SHOULD be limited to domains that share sufficient
>     context with the first-party, such that the user has a reasonable expectation
>     that data provided to any of these domains might be shared or combined with
>     data provided to the other same-party domains.
> 
>  5) Data provided to first-party resources is subject to first-party compliance
>     requirements; data provided to third-party resources is subject to third-party
>     compliance requirements.
> 
> ....Roy
>

Received on Wednesday, 18 April 2012 16:52:02 UTC