- From: Larry Masinter <masinter@adobe.com>
- Date: Fri, 16 Oct 2009 09:19:45 -0700
- To: Jonathan Rees <jar@creativecommons.org>, Rotan Hanrahan <rotan.hanrahan@mobileaware.com>
- CC: "www-tag@w3.org" <www-tag@w3.org>, Thinh Nguyen <thinh@creativecommons.org>
(Composed earlier and a little out of order now): You'd think I'd be happy to disclaim the TAG reducing its work in this area, citing that it is a "non-technical" question, but there's still an architectural framework of messages and responsibility; recall the http://lists.w3.org/Archives/Public/www-tag/2009Oct/0020.html discussion about authoritative metadata, MIME types, and the responsibility associated with sending a JPEG image which says "fire! fire!" as text/plain (or some such; I think the minutes didn't catch the full example.) In the cases of deep linking, I think we should look at whether the security and administrative concerns that lead to consideration of "same origin cookies", CORS, mash-ups, and the browser security concerns around delegated authority and confused deputy attacks are additional sources of requirements for consideration. Producer A creates a message W (a HTTP response in HTML, say) which the producer purports comes from A, and sends the message to consumer B. Consumer B reads and interprets the message, believing the message to be delivered with A's authority and ownership. However, consumer B, following W3C recommendations, sees images or frames or sometimes redirects or links to images, data, or pages viewed that do not actually come from producer A, but instead producer C. W might contain IMG tags pointing to C's site, or frame a page from C's site, or otherwise use C's information without C's knowledge, permission, authorization, or copyright release. Producer A is not merely "uttering" the address of C's data, producer A is sending B a message which causes B to be confused about the source. If Producer A is responsible for the effect of A's messages on consumer B if consumer B is carefully following recommendations or well-known best practice, then can Producer A be held responsible for misappropriating C's information? The act to focus on, though, is not merely the "uttering" of the link, but the use of a link in a context which causes the receiver to follow the link in a different context than the one intended. Whether this is illegal, a violation of some right of C, rude or misleading may be out of scope for the TAG, but at least we might be able to provide a clearer foundation for talking about such things. If there is a free sports event, but someone stands outside selling "tickets", is this illegal or merely enterprising? If someone takes a freely distributed TV recording and substitutes their own advertisers for the original ones, is this illegal, rude, or just fun? I think the judgment about legality may depend on the way in which deep linking is used, and certainly a blanket ban on "deep linking" isn't likely to be useful. Another way in which W3C recommendations might have some effect on the question of deep linking is whether W3C (or IETF) provide mechanisms by which deep linking can be effectively prevented; for example, could the Origin mechanism being proposed to solve cross-origin request spoofing also be used to prevent links from other sites? Larry -- http://larry.masinter.net
Received on Friday, 16 October 2009 16:20:23 UTC