W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: Well known URIs and large sites

From: イアンフェッティ <ifette@google.com>
Date: Wed, 9 May 2012 09:09:51 -0700
Message-ID: <CAF4kx8ejn=JSQGjme+t3QLkHiwnMuTrG2KPSn4sjr0s0JuADxw@mail.gmail.com>
To: Matthias Schunter <mts-std@schunter.org>
Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Hi Matthias,

The truth is that nothing is going to be "Simple" -- it's all relative :)

I think the response headers would be "simpler" than the alternative.

I think what I would envision is perhaps a fixed-set of "simple, well known
default policies" that you could specify in a response header. If you have
something more complex, you can specify your own identifier that points to
a policy hosted under /.well-known/dnt.

As for whether there's something that lives in a "default site policy" at
/.well-known/dnt (with no arguments or anything else, just
/.well-known/dnt) that would apply in the absence of anything else, I think
that's fine as long as it can say "No, you really need to fetch the
specific policy I've included in my response as my site is too complex for
a single policy".

-Ian

On Wed, May 9, 2012 at 9:05 AM, Matthias Schunter <mts-std@schunter.org>wrote:

> Hi Ian,
>
>
> thanks for this feedback. I understand that it may be dificult.
>
> Quick questions:
> - Would response headers be simple/OK for you to handle?
>
> If this is the case, I see two alternatives:
> - one may consider posting a default via a single/fixed well-known URI
> (not the whole space) and the provide the specifics via the header.
> - one may consider to permit headers stand-alone without info at the
> well-known URI.
>
> Opinions/Feedback?
>
>
> matthias
>
>
> On 09/05/2012 17:31, Ian Fette (イアンフェッティ) wrote:
> > This email is intended to satisfy ACTION-193
> >
> > The current proposal requires duplicating the entire website's
> > namespace under /.well-known/dnt/ -- that is to say, if you
> > request
> https://apis.google.com/_/apps-static/_/js/gapi/googleapis_client,plusone/rt=j/ver=OjdQ3MbDCro.en./sv=1/am=!uchpBK-CNFmZrNLZSw/d=1
> > <
> https://apis.google.com/_/apps-static/_/js/gapi/googleapis_client,plusone/rt=j/ver=OjdQ3MbDCro.en./sv=1/am=%21uchpBK-CNFmZrNLZSw/d=1
> >
> > I have to have a policy file
> > under
> https://apis.google.com/.well-known/dnt/_/apps-static/_/js/gapi/googleapis_client,plusone/rt=j/ver=OjdQ3MbDCro.en./sv=1/am=!uchpBK-CNFmZrNLZSw/d=1
> > <
> https://apis.google.com/.well-known/dnt/_/apps-static/_/js/gapi/googleapis_client,plusone/rt=j/ver=OjdQ3MbDCro.en./sv=1/am=%21uchpBK-CNFmZrNLZSw/d=1
> >
> >
> > This is difficult for large sites for a number of reasons.
> >
> > 1. Parts of the URL might be used as transitive data, e.g. not
> > actually representing an actual file but rather arguments to be passed
> > to the server. This essentially means that I need to query whatever
> > frontend service handled the original request, and the parameters
> > specified as part of the URL may or may not still have meaning at that
> > time.
> >
> > 2. The policy might depend on query parameters which in the current
> > draft are not sent, e.g.
> > both
> https://www.google.com/search?source=ig&hl=en&rlz=&q=microsoft&btnG=Google+Search
> > <
> https://www.google.com/search?source=ig&hl=en&rlz=&q=microsoft&btnG=Google+Search
> >
> > and
> https://www.google.com/search?sugexp=chrome,mod=12&sourceid=chrome&ie=UTF-8&q=microsoft
> > <
> https://www.google.com/search?sugexp=chrome,mod=12&sourceid=chrome&ie=UTF-8&q=microsoft
> >
> > represent searches on Google for "microsoft" but come from different
> > sources and therefore may have different logging policies (one came
> > from iGoogle, the other from the Chrome omnibox). We may potentially
> > need query parameters in this case to figure that out.
> >
> > 3. Creating this duplicate namespace now means I've got additional
> > mappings/rules for my load balancers / frontends, depending on how
> > much flexibility you have this may be a small overhead or if may be
> > quite large.
> >
> > 4. A URL that is used in both first and third party contexts certainly
> > has no way of knowing if it was used in a first or third party context
> > under the current proposal. (Whether a site can know at all if it is
> > 1st/3rd party in any reliable manner is still in the current draft an
> > open issue AFAIK though).
> >
> > What I had proposed in earlier discussions, and what I still maintain
> > would be more workable for some large sites, is to instead have the
> > request return (perhaps as an alternative to the current well-known
> > location proposal) a "policy identifier". That is, the response could
> > include something like 'Tk:3,maps' and then if the client cared it
> > could fetch /.well-known/dnt/maps to get the policy identified by the
> > token "maps". This avoids the problems 1-4 listed above as at the time
> > of serving the request, I believe a site has at that point better
> > information about what policy applies to the request than being asked
> > at a random later point in time at a different address.
> >
> > -Ian
>
Received on Wednesday, 9 May 2012 16:36:16 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC