- From: Rigo Wenning <rigo@w3.org>
- Date: Sun, 03 Jun 2012 16:48:32 +0200
- To: public-tracking@w3.org
- Cc: "Dobbs, Brooks" <brooks.dobbs@kbmg.com>, Justin Brookman <justin@cdt.org>, Shane Wiley <wileys@yahoo-inc.com>
Hi Brooks, welcome back in the game. We have already discussed a requirement in the Specification that intermediaries shouldn't inject stuff. Issue is that the server doesn't see that it is an injection as we do not have hashing or some such SSL. So by receiving a DNT;1 header, the server has to assume this status and by receiving a DNT;0 can assume an exception. In case of injections, injecting DNT;1 is creating trouble for the server and injecting DNT;0 is creating trouble for the user. This is just a weak point of the protocol because of the lacking end-to-end security. We can surely require it, but does it buy us anything? I don't know. I would not object if someone would come up with a good wording. Rigo On Friday 01 June 2012 17:56:21 Dobbs, Brooks wrote: > New voice here... I might as well jump right into the controversy. > > I am not sure there is full consistency here. I read the spec as saying > łKey to that notion of expression is that it must reflect the user's > preference˛. This seems pretty foundational to me. Where there is a > significant likelihood for the origin server to believe that the > expression is not a reflection of the userąs preference (either as a 1 or > a 0), wouldnąt such server be in error to process it accordingly? > Conversely to the IE/AVG cases, if hypothetically an ISP were to inject > an extension into every DNT header which in the future allowed for an > exception, wouldnąt the server be in error for always making room for > this exception where they know it to be coming from that ISP? > > -Brooks
Received on Sunday, 3 June 2012 14:48:59 UTC