W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)]

From: イアンフェッティ <ifette@google.com>
Date: Tue, 23 Oct 2012 16:58:57 -0700
Message-ID: <CAF4kx8daUX2OvPDwRi0fprravVtFaE2sZxGFxeqrbDJUfGgPEw@mail.gmail.com>
To: Fred Andrews <fredandw@live.com>
Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
It's not clear why this matters. You say you support DNT. That's all that
should matter, unless you expect the browser to do something differently
depending on  whether the site thinks it's a first or third party. I don't
expect the browser to do anything differently. What do you mean by "defend
the users tracking preference?"

-Ian

On Tue, Oct 23, 2012 at 4:34 PM, Fred Andrews <fredandw@live.com> wrote:

>
> 'Yes, I support DNT' is not a clear answer as currently defined.
>
> Does this mean 'Yes, I support DNT and conform to the 1st party
> requirements'
> or does it mean 'Yes, I support DNT and conform to the 3rd party
> requirements'?
>
> User agents do have a real need for a specific answer so they can defend
> the
> users tracking preference.  Mike has also mentioned concern about EU
> requirements.
>
> cheers
> Fred
>
> ------------------------------
> From: ifette@google.com
> Date: Tue, 23 Oct 2012 16:02:37 -0700
> To: michael.oneill@baycloud.com
> CC: fielding@gbiv.com; npdoty@w3.org; public-tracking@w3.org
>
> Subject: Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value
> for EU [Tracking Preference Expression (DNT)]
>
> I still don't understand the need for this. The server should simply state
> "Yes, I support DNT" or "No, I don't support DNT" (or alternately "Yes, I'm
> honoring your request" or "No, I'm not honoring your request.")
>
> By creating this desire for the server to differentiate between parties,
> we've created this rathole that has turned into multiple over-long threads.
> There is no fundamental need for this. If someone feels that their request
> has been improperly handled, they are free to dig into all of this offline.
> As a browser, I have no intention of doing anything with this data, thus I
> don't see why there is any need. We are just over-complicating the protocol.
>
> Personally, this has gotten to a level of unnecessary complexity where I
> believe it would hurt adoption and as a result would vote against its
> inclusion in the protocol. I think we should go back to a simple "Yes I'm
> honoring your request" or "No I'm not honoring your request" 1/0 approach.
> Any additional information can be spelled out in the tracking resource
> document if someone chooses but need not be included in every response.
>
> -Ian
>
> On Tue, Oct 23, 2012 at 3:50 PM, Mike O'Neill <michael.oneill@baycloud.com
> > wrote:
>
> Ian,****
>
> ** **
>
> I would agree with you if we don’t have to differentiate between parties,
> but as it is we need to have a way for resources (handlers, what have you)
> to indicate what they claim to be.****
>
> ** **
>
> If there was no difference all we would need would be a status resource
> reporting compliance with the spec.****
>
> ** **
>
> Thanks for pointing out the https/http problem with the Referer header, I
> forgot to mention that in my reply to Roy.****
>
> ** **
>
> Mike****
>
> ** **
>
> ** **
>
> *From:* Ian Fette (イアンフェッティ) [mailto:ifette@google.com]
> *Sent:* 23 October 2012 22:15
> *To:* Roy T. Fielding
> *Cc:* Mike O'Neill; Nicholas Doty; public-tracking@w3.org Group WG
>
> *Subject:* Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status
> value for EU [Tracking Preference Expression (DNT)]****
>
> ** **
>
> On Tue, Oct 23, 2012 at 12:24 PM, Roy T. Fielding <fielding@gbiv.com>
> wrote:****
>
> On Oct 23, 2012, at 3:15 AM, Mike O'Neill wrote:
>
> > The point about particular resource URIs changing from 3rd to 1st party
> > context is one of the reasons for the change I suggested in issue-182.
> The
> > user-agent has the party information at hand when it sends out a request,
> > and it would be simple for it to communicate this to the server in the
> DNT
> > header.****
>
> No, it does not.  The fact is that neither the browser nor the server
> knows what requests are first party and what requests are third party.
> Just clicking on a link doesn't make it the first party -- the identifier
> would have to be compared to the contextual user information (the
> information that gave the user the idea that they wanted to click
> on that link).
>
> In theory, the only way we could mechanically distinguish between
> first and third party references would be to change the URIs
> (not going to happen) or add additional metadata to the mark-up to
> indicate which is which; in practice, we already know that authors
> won't correctly mark-up such links, and I suspect TLR would be
> somewhat upset if I started redefining HTML here.
>
> Of course, this has no impact on enforcement of the standard.
> The people building Web sites know which links are to third parties,
> even if they don't have a special mark-up.
> Regulators are fully capable of distinguishing between where they
> intend to visit and other entities that might be performing data
> collection -- a simple browser extension or protocol stream capture
> will reveal all they need to know, and is easily packaged as a tool.****
>
>
> > For example the handler associated with a social widget will
> > normally receive a request indicating 3rd party context usage ( DNT: 1)
> and
> > the handler will return Tk3. If a user clicks on it a request will be
> sent
> > out with the f qualifier ( DNT: 1f)  and the handler can return a Tk1
> > response if it now conforms to 1st party rules.
> >
> > In the DNT = 0 case the exception API will have been called. In a 3rd
> party
> > context the DNT header would now be DNT: 0t=toplevel.com indicating the
> > document origin of the top level page, which is also the origin host
> which
> > initiated the exception. This can be used to prove compliance (by
> retaining
> > logs in the DNT:0 case) or to debug script errors on the top level site.
> ****
>
> HTTP already has Referer header fields.
>
> ....Roy
>
> ****
>
> ** **
>
> Referer is not sent though with https if the site is on a different origin.
> ****
>
> ** **
>
> Stepping back though, we're spending a lot of time defining all of these
> more complex response codes, has anyone expressed any interest in using
> them? I believe this is already more complex than we have any interest in
> using, and wonder if others are in a similar position.****
>
> ** **
>
> -Ian****
>
> ** **
>
>
>
Received on Tuesday, 23 October 2012 23:59:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:36 UTC