W3C home > Mailing lists > Public > www-tag@w3.org > October 2009

RE: URIs, deep linking, framing, adapting and related concerns

From: Larry Masinter <masinter@adobe.com>
Date: Fri, 16 Oct 2009 09:19:45 -0700
To: Jonathan Rees <jar@creativecommons.org>, Rotan Hanrahan <rotan.hanrahan@mobileaware.com>
CC: "www-tag@w3.org" <www-tag@w3.org>, Thinh Nguyen <thinh@creativecommons.org>
Message-ID: <8B62A039C620904E92F1233570534C9B0118DC469E1A@nambx04.corp.adobe.com>
(Composed earlier and a little out of order now):

You'd think I'd be happy to disclaim the TAG reducing its work in this
area, citing that it is a "non-technical" question, but there's still
an architectural framework of messages and responsibility; recall
the http://lists.w3.org/Archives/Public/www-tag/2009Oct/0020.html 
discussion about authoritative metadata, MIME types, and the
responsibility associated with sending a JPEG image which says
"fire! fire!" as text/plain (or some such; I think the minutes
didn't catch the full example.)

In the cases of deep linking, I think we should look at whether the
security and administrative concerns that lead to consideration of
"same origin cookies", CORS, mash-ups, and the browser security
concerns around delegated authority and confused deputy attacks 
are additional sources of requirements for consideration. 

Producer A creates a message W (a HTTP response in HTML, say) which
the producer purports comes from A, and sends the message to consumer
B. Consumer B reads and interprets the message, believing the message
to be delivered with A's authority and ownership.

However, consumer B, following W3C recommendations, sees images or
frames or sometimes redirects or links to images, data, or pages
viewed that do not actually come from producer A, but instead 
producer C.  W might contain IMG tags pointing to C's site,
or frame a page from C's site, or otherwise use C's information
without C's knowledge, permission, authorization, or copyright
release.

Producer A is not merely "uttering" the address of C's data,
producer A is sending B a message which causes B to be confused
about the source. If Producer A is responsible for the effect
of A's messages on consumer B if consumer B is carefully following
recommendations or well-known best practice, then can 
Producer A be held responsible for misappropriating
C's information?

The act to focus on, though, is not merely the "uttering"
of the link, but the use of a link in a context which causes
the receiver to follow the link in a different context
than the one intended.

Whether this is illegal, a violation of some right of C, rude
or misleading may be out of scope for the TAG, but at least
we might be able to provide a clearer foundation for talking 
about such things.

If there is a free sports event, but someone stands outside 
selling "tickets", is this illegal or merely enterprising?
If someone takes a freely distributed TV recording and 
substitutes their own advertisers for the original ones,
is this illegal, rude, or just fun? 

I think the judgment about legality may depend on the way in
which deep linking is used, and certainly a blanket ban on
"deep linking" isn't likely to be useful.

Another way in which W3C recommendations might have some effect
on the question of deep linking is whether W3C (or IETF) 
provide mechanisms by which deep linking can be effectively
prevented; for example, could the Origin mechanism being 
proposed to solve cross-origin request spoofing also be
used to prevent links from other sites?

Larry
--
http://larry.masinter.net



Received on Friday, 16 October 2009 16:20:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:17 GMT