- From: Shane M Wiley <wileys@oath.com>
- Date: Fri, 25 Aug 2017 08:49:50 -0700
- To: "Matthias Schunter (Intel Corporation)" <mts-std@schunter.org>
- Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-ID: <CAEwb2yk_hHZ_rsjVgLY79NFzJd34sOOnjUWK9Y_v-1yiy1FX1A@mail.gmail.com>
Thank you so much! If it helps with the "misuse concern" on sub-resource web-wide exceptions we can also store the top origin domain with the web-wide domain call. This would provide regulators and publishers a trail to follow back to the location of where the web-wide exception had been registered. - Shane On Fri, Aug 25, 2017 at 7:30 AM, Matthias Schunter (Intel Corporation) < mts-std@schunter.org> wrote: > Dear TPWG, > > > I had a quick chat with Mike. Our proposal is to: > (a) rollback the editors draft to our original consensus > (b) suggest to add an implementation recommendation that helps > mitigating the fingerprinting risk: By limiting the number of > site-specific UGE that a domain can store, we also limit the capability > to fingerprint. > > Below are more detailed notes. > > Any comments and feedback are welcome! > > Note that we are aware that anyone (including sub-resources) can store > web-wide exceptions. I suggest to see how the adoption evolves and then > browsers can determine whether additional checks and balances may be > needed. > > > Regards, > matthias > > > ------------------8<--- > > Original (still valid) consensus: > - 1st party and third parties > - can ask for web-wide and site-specific UGE > - both for the script origin only > > Current editors draft: > - 1st party > - can ask for web-wide and targeted UGE > - both for the script origin only > - third parties > - can ask (only) for site-specific UGE > - web-wide is not allowed > > Shortcomings of the current draft: > - site-specific UGE poses fingerprinting risk (Mike) > - web-wide for sub-element are needed for > consent portal (Shane) > > Proposed modifications of the editors draft: > - Back to original consensus (to address Shane's usage) > - 1st party and third parties > - can ask for web-wide and site-specific UGE > - both for the script origin only > - Mitigate fingerprinting risk by NOTE that suggests > that browsers may limit the number of stored site-specific > exceptions per top-level domain. > > Assessment of proposed consensus: > + A compliance portal (e.g. google) can now register web-wide UGE for > same party domains (e.g. youtube). > + The limited number of site-specific user-granted exceptions can > minimize fingerprinting risk > - If web-wide user-granted exceptions are mis-used, additional checks > and balances may be needed in the future. > > -- - Shane Shane Wiley VP, Privacy Oath: A Verizon Company
Received on Friday, 25 August 2017 15:50:14 UTC