W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: ISSUE-111 - Exceptions are broken

From: David Singer <singer@apple.com>
Date: Tue, 27 Mar 2012 16:47:47 -0700
Message-id: <81EE5E6D-1EAD-4623-BF64-BF642294477E@apple.com>
To: Tracking Protection Working Group WG <public-tracking@w3.org>

On Mar 7, 2012, at 10:02 , Kevin Smith wrote:

> Even with an *, meaning that the exception applies to all 3rd parties on the 1st party site, 

I've been meaning to ask: is that "all the 3rd parties I am using today" or "all the 3rd parties I am using and might use in the future"?  I rather suspect it's the latter, whereupon it's saying "I trust the Bogville Chronicle to use only reputable 3rd parties", right?

On Mar 8, 2012, at 14:17 , Kevin Smith wrote:

>> As I understand it, an exception for "*" on a first-party site would imply that the user agent would send DNT:0 to every domain from which a resource was requested as part of loading the first-party page (including subsequent re-directs, iframes and XHR requests).
> 
> I am not sure how to do this using current methodologies.  Take a simple example.  Site A has an exception for all 3rd parties and includes 3rd Party B which then includes 3rd Party C.  3rd Party C is requested from 3rd Party B, not Site A.  How does the browser know that 3rd Party C's request originated from Site A?  Certainly 3rd Part C probably knows from customized request parameters, but how does the browser map the request to its list of exceptions to even see the '*' associated with site A?  I think this would be new functionality.

Assuming that the browser has a clear idea of the 1st party (the top-level context) then when requesting resources to build that page, it merely has to ask whether the origin of the resource matches an exception in the list for that 1st party (with * matching everyone), doesn't it?  What am I missing?

User visits Bogville Chronicle.  (bogville.com).  
UA finds the 3rd-party exception list for that user on bogville.com
As each HTTP request is generated, ask "is the origin in the exception list?" - if so, send DNT:0, else send DNT:1.

If the bogville.com people can't enumerate the closure of the sites that they care about, then use "*".

I think this gets ugly when you consider mash-up sites, however.  That assumption that the UA can always work out what top-level browsing context is the owner for every other fetch may be difficult to get water-tight.

On Mar 8, 2012, at 18:22 , Jonathan Mayer wrote:

> 
> If a user has DNT enabled, an ad need not be (and most often won't be) random.  I believe there is a consensus in the group that contextual targeting, demographic targeting, and geographic targeting (possibly with some degree of coarseness) would all be allowed.
> 

Yes, I don't think anyone has issues with using real-time data, including data in the transaction itself: time of day, location, kind of site visited, kind of ad requested, and so on. Knowing nothing about me and remembering nothing about me does NOT say you can't look at the clock, where the request came from (IP, Geo), where the ad will be embedded, and all sorts of other non-user-specific information.



David Singer
Multimedia and Software Standards, Apple Inc.
Received on Tuesday, 27 March 2012 23:49:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC