W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Well-known URI vs response headers? [ISSUE-81, ISSUE-47, ISSUE-80]

From: Nicholas Doty <npdoty@w3.org>
Date: Mon, 5 Mar 2012 14:27:44 -0800
Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <9BE9652F-0281-46FE-BF8E-B1076B82D8E7@w3.org>
To: Ronan Heffernan <ronansan@gmail.com>
[Another message originally not sent to the public list. This is the last of these, I believe. My apologies for the confusion.]

On Oct 29, 2011, at 1:31 PM, Nicholas Doty wrote:
On Oct 28, 2011, at 3:24 AM, Ronan Heffernan wrote:

> If the opt-in status is not stored in a cookie, data-store, or other technology that is accessible to the script at the well-known URI (as a flag, a userid to be looked-up, a session-id to be looked up, etc.), then how will it be accessible to the page-elements that will perform the tracking?  If the opt-in statement is contained in a POST, that information will be recorded somewhere for later use (e.g. a cookie or a database record) that the well-known URI script can access, unless the POST that changes the user's opt-in status is being sent directly to the object that is doing the tracking, for one-time use.

When I load a page in my browser, I can also execute JavaScript and other local plugins, like Flash. I don't expect the user agent to execute client-side JavaScript or plugins when loading the well-known URI to check a machine-readable policy; as a result there are lots of technologies that aren't available to the script at the well-known URI. So if a tracking element uses localStorage, Flash LSOs, browser fingerprinting or any other technology other than HTTP cookies to identify a user (and the user's opt-back-in status), then it could track a user across sites and not be able to tell that user about their opt-back-in status at the well-known URI.

óNick
Received on Monday, 5 March 2012 22:27:54 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC