W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)]

From: イアンフェッティ <ifette@google.com>
Date: Tue, 23 Oct 2012 14:15:29 -0700
Message-ID: <CAF4kx8cZA6xshjX0zO348GW76CB5=JRLUrAZzHxPmBBcbU0XRQ@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: "Mike O'Neill" <michael.oneill@baycloud.com>, Nicholas Doty <npdoty@w3.org>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
On Tue, Oct 23, 2012 at 12:24 PM, Roy T. Fielding <fielding@gbiv.com> wrote:

> On Oct 23, 2012, at 3:15 AM, Mike O'Neill wrote:
>
> > The point about particular resource URIs changing from 3rd to 1st party
> > context is one of the reasons for the change I suggested in issue-182.
> The
> > user-agent has the party information at hand when it sends out a request,
> > and it would be simple for it to communicate this to the server in the
> DNT
> > header.
>
> No, it does not.  The fact is that neither the browser nor the server
> knows what requests are first party and what requests are third party.
> Just clicking on a link doesn't make it the first party -- the identifier
> would have to be compared to the contextual user information (the
> information that gave the user the idea that they wanted to click
> on that link).
>
> In theory, the only way we could mechanically distinguish between
> first and third party references would be to change the URIs
> (not going to happen) or add additional metadata to the mark-up to
> indicate which is which; in practice, we already know that authors
> won't correctly mark-up such links, and I suspect TLR would be
> somewhat upset if I started redefining HTML here.
>
> Of course, this has no impact on enforcement of the standard.
> The people building Web sites know which links are to third parties,
> even if they don't have a special mark-up.
> Regulators are fully capable of distinguishing between where they
> intend to visit and other entities that might be performing data
> collection -- a simple browser extension or protocol stream capture
> will reveal all they need to know, and is easily packaged as a tool.
>
> > For example the handler associated with a social widget will
> > normally receive a request indicating 3rd party context usage ( DNT: 1)
> and
> > the handler will return Tk3. If a user clicks on it a request will be
> sent
> > out with the f qualifier ( DNT: 1f)  and the handler can return a Tk1
> > response if it now conforms to 1st party rules.
> >
> > In the DNT = 0 case the exception API will have been called. In a 3rd
> party
> > context the DNT header would now be DNT: 0t=toplevel.com indicating the
> > document origin of the top level page, which is also the origin host
> which
> > initiated the exception. This can be used to prove compliance (by
> retaining
> > logs in the DNT:0 case) or to debug script errors on the top level site.
>
> HTTP already has Referer header fields.
>
> ....Roy
>
>
>
Referer is not sent though with https if the site is on a different origin.

Stepping back though, we're spending a lot of time defining all of these
more complex response codes, has anyone expressed any interest in using
them? I believe this is already more complex than we have any interest in
using, and wonder if others are in a similar position.

-Ian
Received on Tuesday, 23 October 2012 21:15:58 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:36 UTC