Re: Privacy HR requested for JSON-LD 1.1 Syntax, API and Framing

Hi Robert,

Thank you for this, and for clarifying further.  I dont have any further privacy concerns, thanks for explaining further.  I dont know if you will get concerns about the WebIDL being kinda/sorta not correct since its not really hanging off the Window interface, but thats not my department, and seems you’ve already thought through that anyway :)

Thanks!

Pete Snyder
{pes,psnyder}@brave.com
Brave Software
Privacy Researcher

> On Aug 29, 2019, at 12:37 PM, Robert Sanderson <azaroth42@gmail.com> wrote:
> 
> 
> Dear Pete, all,
> 
> We have an issue in our tracker here: https://github.com/w3c/json-ld-wg/issues/88 for Privacy horizontal review.  We've tried to capture the discussion in this thread there, I hope that's okay. 
> Unless we hear back that there's a problem that needs to be addressed, we feel that as this is a strange edge case and we don't introduce any new state tracking or other features that might impinge on users' privacy, that we are okay to proceed to CR.
> 
> If there is a need to continue discussion, would it be possible to meet at TPAC?
> 
> Many thanks for your time in helping to understand the issues!
> 
> Rob Sanderson & Benjamin Young (Co-chairs of JSON-LD WG)
> 
> 
> On Thu, Aug 15, 2019 at 10:37 AM Robert Sanderson <azaroth42@gmail.com> wrote:
> 
> Dear Pete, all,
> 
> Sincere apologies for the silence, I was on vacation and then had to catch up with regular work fires.
> 
> We discussed the questions in the WG and feel that you're right that the situation is a clear edge case. We have been encouraged to use WebIDL for consistency with other specifications, and even to the point of having to put in slightly spurious fields (such as that the scope is a window, because respec requires that field to be present or it raises errors!).
> 
> In terms of the interactions, by browser or other client system, all of the interactions fall through to the existing APIs such as XMLHttpRequest and Fetch. We don't make any requirements there, and expect that the cookies and other headers that the user has allowed to be sent will be sent. For example, if the client needs to be authenticated in order to retrieve a JSON-LD context file, then the authentication information should be sent in the regular way.  So we can't say MUST NOT send any state or user tracking information, but we certainly neither require any in particular, nor have any special considerations. 
> 
> Hope that answers the questions, and thank you for your patience and engagement with the complexities here!
> 
> Rob
> 
> 
> 
> -- 
> Rob Sanderson
> Semantic Architect
> The Getty Trust
> Los Angeles, CA 90049

Received on Friday, 30 August 2019 18:47:12 UTC