Re: TPE latest from Shane M Wiley on 2017-08-30 (public-tracking@w3.org from August 2017)

From: Shane M Wiley <wileys@oath.com>
Date: Wed, 30 Aug 2017 08:01:23 -0700
To: "Mike O'Neill" <michael.oneill@baycloud.com>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Matthias Schunter <mts-std@schunter.org>, public-tracking@w3.org
Message-ID: <CAEwb2ynqedcrGo_+6pAvag1thSQO+6g=vuFPysUuevtysTQ+-w@mail.gmail.com>
Mike and Group,

This statement "*A site can request an exception be stored even when the
user's general preference is not enabled."*  is a bit misleading as an
exception can be stored at any time if the user has granted consent -
regardless of their general preference.  For example, the general
preference maybe DNT:1 to all sites UNTIL an exception is granted.  Not
sure when this language made it's way into the document but it isn't what
we've been discussing.

- Shane

On Wed, Aug 30, 2017 at 6:32 AM, Mike O'Neill <michael.oneill@baycloud.com>
wrote:

> Roy,
>
>
>
> This is very good, I am happy with it except for the following nits:
>
>
>
> 6.3 para 4
>
>
>
> *A first party site's page (the top-level browsing context) might be used
> to obtain site-specific consent for multiple parties; e.g., using multiple
> iframe elements containing scripts that can convey information about each
> party's policies and obtain specific consent for each party. In this case,
> the effective script origin might be different from the site for which
> consent is being granted.*
>
>
>
> It can be also web-wide also now, and consent is always being granted for
> the script origin, or a subdomain of it (or site-specific consent for a
> subresource of it). Suggested change:
>
>
>
> *A first party site's page (the top-level browsing context) might be used
> to obtain site-specific or web-wide consent for multiple parties; e.g.,
> using multiple iframe elements containing scripts that can convey
> information about each party's policies and obtain specific consent for
> each party. In this case, consent is being obtained for the effective
> script origin of the iframe's responsible document, which could be
> different from that of the top-level browsing context.*
>
>
>
>
>
> 6.3 para 6
>
>
>
> *A site can request an exception be stored even when the user's general
> preference is not enabled. This permits the sending of DNT only for target
> resources for which an expressed preference is desired. Stored exceptions
> could affect which preference is transmitted if a user later chooses to
> configure a general tracking preference.*
>
>
>
> This is a bit unclear, especially the meaning of the last sentence. We
> should say this is only about DNT:0, and remove the last sentence which
> does not really add anything. It is a MAY anyway, so best leave it to the
> browser provider. Suggested change:
>
>
>
> *A site can request an exception be stored even when the user's general
> preference is not enabled. This permits the sending of DNT:0 only for
> target resources for which the expressed preference is desired. *
>
>
>
> 6.6.1, 6.6.2, 6.6.3 description of “targets” property.
>
>
>
> *targets*
>
> An array of target domains for which the exception applies:
>
>    - If targets
>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> is
>    undefined or null, the user-granted exception to be stored is [site, *],
>    meaning that the exception applies to all domains referenced by the site.
>    - If targets
>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> is
>    an empty array, the user-granted exception to be stored is
>    [site, script domain], meaning that the exception applies only to
>    resources that share the same domain as the effective script origin
>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dfn-effective-script-origin>
>    .
>    - Otherwise, for each domain string in the targets
>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> array,
>    a user-granted exception to be stored is the duplet [site, domain].
>
>
>
> It is unclear if the script origin always receives  an exception, which
> was the case before. A “domain referenced by the site” implicitly includes
> the script origin, and the empty array case specifically includes it, so it
> would make sense to cover this also for the non-empty targets case.
> Suggested change:
>
>
>
>
>
>
>
> *targets*
>
> An array of target domains for which the exception applies:
>
>    - If targets
>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> is
>    undefined or null, the user-granted exception to be stored is [site, *],
>    meaning that the exception applies to all domains referenced by the site.
>    - If targets
>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> is
>    an array, the user-granted exception to be stored is at least
>    [site, script domain], meaning that the exception applies to resources
>    that share the same domain as the effective script origin
>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dfn-effective-script-origin>
>    .
>    - Additionally, for each domain string in the targets
>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> array,
>    a user-granted exception is stored for the the duplet [site, domain].
>
>
>
> Mike
>



-- 
- Shane

Shane Wiley
VP, Privacy
Oath: A Verizon Company
Received on Wednesday, 30 August 2017 15:01:48 UTC