RE: TPE - Questions around UGE API Consolidation

Shane,

 

On your second point I agree it should not be possible for a subresource to register an exception for the first-party without the first-party being aware of it. 

 

CSP has a reporting feature we could copy, but care would have to be taken it did not introduce another privacy or security risk.

 

Perhaps we should just rule it out, making the first-party always responsible. Or allow it only if the first-party explicitly enables it say by a Boolean in the TSR, “allowThirdPartyUGE”

 

Mike

 

 

From: Shane M Wiley [mailto:wileys@oath.com] 
Sent: 21 August 2017 02:10
To: public-tracking@w3.org
Subject: TPE - Questions around UGE API Consolidation

 

Multi-Domain First Party:  Many websites operate under more than one core domain to manage their resources in a distributed manner or across individual product domains under the corporate domain.  Our team has not reviewed the UGE API since the consolidation and noticed on this pass that the ability to send multiple first party domains as part of a site wide exception has been lost in the new approach.  It appears only a single "site" can be provided per call now requiring multiple API calls for the same entity.  For example, www.yahoo.com <http://www.yahoo.com>  and www.yimg.net <http://www.yimg.net>  would each require a separate call.  It doesn't appear there was a desire to force to a same origin policy here such that only the host domain can request a site-wide exception for its domain so would it be possible to include the "site" array property again?

 

3rd Parties Registering Exceptions on 1st Party Sites:  It appears it may be possible for a 3rd party to attempt to register a user granted exception while operating on a 1st party site.  As it would be unexpected to occur in this scenario we'd ask that we determine a way for the 1st party to be notified in this case.

 

- Shane

 

Shane Wiley

VP, Privacy

Oath: A Verizon Company