Re: Privacy HR requested for JSON-LD 1.1 Syntax, API and Framing from Robert Sanderson on 2019-08-15 (public-privacy@w3.org from July to September 2019)

From: Robert Sanderson <azaroth42@gmail.com>
Date: Thu, 15 Aug 2019 10:37:35 -0700
To: Pete Snyder <psnyder@brave.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>, W3C Chairs of JSON-LD WG <group-json-ld-wg-chairs@w3.org>
Message-ID: <CABevsUEea4YcnUFYb5hK78fzg5jLDZHUcQX0YVbpcW-jVuy5-w@mail.gmail.com>

Dear Pete, all,

Sincere apologies for the silence, I was on vacation and then had to catch
up with regular work fires.

We discussed the questions in the WG and feel that you're right that the
situation is a clear edge case. We have been encouraged to use WebIDL for
consistency with other specifications, and even to the point of having to
put in slightly spurious fields (such as that the scope is a window,
because respec requires that field to be present or it raises errors!).

In terms of the interactions, by browser or other client system, all of the
interactions fall through to the existing APIs such as XMLHttpRequest and
Fetch. We don't make any requirements there, and expect that the cookies
and other headers that the user has allowed to be sent will be sent. For
example, if the client needs to be authenticated in order to retrieve a
JSON-LD context file, then the authentication information should be sent in
the regular way.  So we can't say MUST NOT send any state or user tracking
information, but we certainly neither require any in particular, nor have
any special considerations.

Hope that answers the questions, and thank you for your patience and
engagement with the complexities here!

Rob

Received on Thursday, 15 August 2019 17:38:13 UTC