W3C home > Mailing lists > Public > public-tracking@w3.org > January 2013

Revised approach to Exceptions

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 9 Jan 2013 12:16:08 -0000
To: "David Singer" <singer@apple.com>
Cc: <public-tracking@w3.org>
Message-ID: <0c4901cdee63$1b911b80$52b35280$@baycloud.com>
Hi David,


On the new API (to answer "does this exception that I previously requested
still exist?" surely the receipt of a DNT:0 in the request header (or from
the current requestDNTStatus()) already indicates that?


If you mean an embedded frame could ask the question about another domain -
i.e.  requestDNTstatus(DOMString otherdomain), then we could be introducing
a new fingerprinting risk. 

For example script in a frame could set up a web-wide exception for
"insurancerisk.com", which could then be checked anywhere with
requestDNTStatus("insurancerisk,com"), indicating one bit of data about the
current user-agent/user. More bits could be added by executing as many dummy
WW exception calls needed.


It is a pity though because this would be a way to solve some of Shane's
use-cases, i.e. you could set up a site specific exception for webmail.com
then query for its existence on webmail.co.uk. This would only work for
resources returning HTML though so it would not help with imagecloud.com, so
probably not worth the fingerprinting risk.









Received on Wednesday, 9 January 2013 12:16:37 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:02 UTC