RE: TPE latest

Matthias, Roy,

I concur whith Mike's suggestions for text changes.

Moreover, Subsection 10.1 is redundant as it is already explained in subsection 5.2. Moreover, subsection 10.1 is not a privacy consideration as such. It has a clarifying function, which is already addressed in subsection 5.2. 

Therefore, I suggest deleting subsection 10.1. (I made the remark on 21 August, URL: https://lists.w3.org/Archives/Public/public-tracking/2017Aug/0017.html).

Rob


-----Original message-----
From: Mike O'Neill
Sent: Wednesday, August 30 2017, 3:34 pm
To: 'Roy T. Fielding'; 'Matthias Schunter'
Cc: public-tracking@w3.org
Subject: TPE latest

Roy,

 
This is very good, I am happy with it except for the following nits:

 
6.3 para 4

 
A first party site's page (the top-level browsing context) might be used to obtain site-specific consent for multiple parties; e.g., using multiple iframe elements containing scripts that can convey information about each party's policies and obtain specific consent for each party. In this case, the effective script origin might be different from the site for which consent is being granted.

 
It can be also web-wide also now, and consent is always being granted for the script origin, or a subdomain of it (or site-specific consent for a subresource of it). Suggested change:

 
A first party site's page (the top-level browsing context) might be used to obtain site-specific or web-wide consent for multiple parties; e.g., using multiple iframe elements containing scripts that can convey information about each party's policies and obtain specific consent for each party. In this case, consent is being obtained for the effective script origin of the iframe's responsible document, which could be different from that of the top-level browsing context.

 
 
6.3 para 6

 
A site can request an exception be stored even when the user's general preference is not enabled. This permits the sending of DNT only for target resources for which an expressed preference is desired. Stored exceptions could affect which preference is transmitted if a user later chooses to configure a general tracking preference.

 
This is a bit unclear, especially the meaning of the last sentence. We should say this is only about DNT:0, and remove the last sentence which does not really add anything. It is a MAY anyway, so best leave it to the browser provider. Suggested change:

 
A site can request an exception be stored even when the user's general preference is not enabled. This permits the sending of DNT:0 only for target resources for which the expressed preference is desired. 

 
6.6.1, 6.6.2, 6.6.3 description of “targets” property.

 
targets

An array of target domains for which the exception applies:

* If targets is undefined or null, the user-granted exception to be stored is [site, *], meaning that the exception applies to all domains referenced by the site.
* If targets is an empty array, the user-granted exception to be stored is [site, script domain], meaning that the exception applies only to resources that share the same domain as the effective script origin.
* Otherwise, for each domain string in the targets array, a user-granted exception to be stored is the duplet [site, domain].

 
It is unclear if the script origin always receives  an exception, which was the case before. A “domain referenced by the site” implicitly includes the script origin, and the empty array case specifically includes it, so it would make sense to cover this also for the non-empty targets case. Suggested change:

 
 
 
targets

An array of target domains for which the exception applies:

* If targets is undefined or null, the user-granted exception to be stored is [site, *], meaning that the exception applies to all domains referenced by the site.
* If targets is an array, the user-granted exception to be stored is at least [site, script domain], meaning that the exception applies to resources that share the same domain as the effective script origin.
* Additionally, for each domain string in the targets array, a user-granted exception is stored for the the duplet [site, domain].

 
Mike