- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Thu, 18 Aug 2016 16:56:38 +0100
- To: <public-tracking@w3.org>
- Cc: <jeff@w3.org>
Bouncer lets you quickly see how sites respond to DNT. It shows there ae quite a few sites responding with Tk: 1 , which is not one of the valid values in the TPE https://www.w3.org/TR/tracking-dnt/#tracking-status-value Sites that do this include the GCHQ! www.gchq.gov.uk, but also w3.org. I imagine the reason so many sites gets this wrong is because of the W3C example. I think the reason the w3.org site team did this may have been confusion on what TSV to use. If no tracking occurs then the obvious response would be Tk: N, but the W3C also uses an authentication cookie UID. Because images are often loaded on other sites e.g. https://w3.org/2008/site/images/logo-w3c-mobile-lg w3.org ends up being an embedded third-party, so should return Tk: T when the authentication is present, but this breaks expiration caching as Roy has pointed out. If this was the reason it is unfortunate that it wasn’t brought up here. The situation could be addressed in 3 ways. 1) W3C site is changed to return Tk: T for DNT logged in users, otherwise Tk: N, and support verification caching. This would create a bigger load on W3C servers though for UAs other than IE (assuming w3.org also uses the API). 2) We add a new permitted use to the TPE with a new qualifier code L for first-party login. It can only be used for that purpose, and is discarded if seen as an embedded third-party. 3) We do 2) but also accept the situation as de-facto, and make a TSV of "1" an alias for "C" with an assumed qualifier of "L" (and an implied commitment to discard the UID as above) Mike -----Original Message----- From: Mike O'Neill [mailto:michael.oneill@baycloud.com] Sent: 10 August 2016 19:12 To: public-tracking@w3.org Subject: Bouncer, Guide -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Following today’s call, here again is the Chrome browser extension Bouncer https://chrome.google.com/webstore/detail/baycloud-bouncer/bplgfejjkplajgmkcbbgaeceamceohkc?hl=en-GB&gl=GB It shows how sites and third-parties respond the DNT, if they have a TSR, EFF Policy, TSV response header etc. Click on the TSR one to see the actual TSR It implements the full API, use this test page to exercise it: https://baycloud.com/api/test and here again is the DNTGuide document: https://trackingprotection.github.io/Implementation/DNTGuide/ Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/ Charset: utf-8 iQIcBAEBAgAGBQJXq25gAAoJEOX5SQClVeMPMxQP/12nPX0vU2W3A9fCDL5NKPal BwUtJAq4WXl+PZbsaEJpHfnhIOuZoDfiYbOX4qQpeEQ0Js5+AXMNJ/3efxY2J37b OWxWhkg076Et/hm0Z2J8iwEuumrrct0+eAQMZXy+zXv6GQkk6W2RxGAbs8KgWmX7 gBSvu6wH/Ttpqlmd/cr1OKmuOB6D3RlYtaUiE0dqvQZKnfLnVF8frzozC4cRR0gx aOu7F/QjBRqBX6U4SUn6hsnvIwNSvKyQwS9rrPFSyo24kV+mDAhBwLOyqZ17yzff R2iD9Fh5LHUrcx3kXekr+jyIcLXD2roNCLdQXIhv3qilNPIxng9OgHyKLiRl/UMu 9u3sneVF16By4Bwt9heNMe/RfuvGs8wslRY7xJXphSiuyYDpYkTob6uyEQ2ayKn/ XVvses/T/HsI0VNX+DqIPwbwQcjj6yb/WTSMi0A14psY8jhcAxsyu9g63YJS0haK TgaKqlPJ6GD0WKVZjAIRBfVOFgQWRCiPydEkIJQImw02beOsSo9J0JmDsR1LGiNE VF9ci7qHTEiCHrO2O3uY2Nka853TKOMXKKQJb1CkOLocn0XupiNFAmweQsb155/W LjfYpo9Xw6Ma/nrjFuU8QK7sZkdgoqivFUbc8fuI0nMQunufHcagrszBamlMYe0N OcVFXJLlquq16W8fzMiM =i1Dg -----END PGP SIGNATURE-----
Received on Thursday, 18 August 2016 15:57:17 UTC