W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: ACTION-177: Add an API to let a site request a web-wide exception

From: Nicholas Doty <npdoty@w3.org>
Date: Tue, 15 May 2012 17:11:33 -0400
Cc: "public-tracking@w3.org" <public-tracking@w3.org>
Message-Id: <5BFC4C8C-B14A-4303-B969-8FA80DAEF6EA@w3.org>
To: Shane Wiley <wileys@yahoo-inc.com>
Thanks for drafting this, Shane.

If we want to re-use the TrackingResponseCallback interface for this method, we should also define what the "granted" parameter will signify.

In the current draft (for requestSiteSpecificTrackingException):

> The granted parameter passed to the callback is the user’s response; true indicates the user wants an exception on this site for all of the trackers specified inarrayOfDomainStrings. The response false indicates that the user does not want an exception on this site for at least one of the trackers specified inarrayOfDomainStrings.
> 
> A particular response to the API — like a DNT response header — is only valid immediately, and users' preferences may change.

Presumably in this case true indicates that the user wants to grant an exception to the tracker specified in domainString and false indicates that the user does not wish to grant an exception to the tracker.

The caution that preferences may change is particularly true here. In addition, what do you want to happen if the Web-wide exception is granted generally but the user's preferences specify that they'll continue to send DNT:1 while browsing some sites or during some browsing modes?

One possibility:
> A particular value of `granted` in response to this API is only valid immediately and generally; users' preferences may change and other user preferences (per site or per browsing mode, for example) may override.

Also,
> A separate call must be made for each DomainString and the requester origin should match the DomainString. 


I do believe the agreement in DC was that the requester origin would have to match. Is there a particular reason you wrote this as "should" rather than "must"? If the requester origin and requested exception domain are always the same, could we remove the domainString parameter altogether and the request would just be for the script origin?

Thanks,
Nick

On May 15, 2012, at 1:05 AM, Shane Wiley wrote:

> 6.7 Web-wide exceptions
>  
> Users may wish to configure exceptions for a certain trusted tracker across several or all sites.
>  
> User agents may instantiate NavigatorDoNotTrack.requestWebWideTrackingException. Sites should test for the existence of requestWebWideTrackingException before calling the method. If an exception is granted in this context and the user-agent stores that preference, a user agent may send a DNT:0 header even if a tracking preference isn't expressed for other requests.
>  
> A web-wide exception request can be initiated even when navigator.doNotTrack is null.
>  
> [NoInterfaceObject]
> interface NavigatorDoNotTrack {
>     void requestWebWideTrackingException (DomainString, TrackingResponseCallback callback, optional  explanationString, optional  detailURI);
> };
>  
>    - DomainString, a single domain signifying the origin of the domain receiving the web-wide exception.
>    - Note – all like named fields carry the same definitions as set forth in requestSiteSpecificTrackingException.
>  
> A separate call must be made for each DomainString and the requester origin should match the DomainString. 
>  
> Multiple calls can be facilitated through nested iFrames for each domain, similar to the NAI opt-out page individual domain call routines to set opt-out cookies for each domain. 
Received on Tuesday, 15 May 2012 21:11:45 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:28 UTC