- From: Roy Fielding via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 06 Aug 2012 21:33:32 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory hutz:/tmp/cvs-serv19175
Modified Files:
tracking-dnt.html
Log Message:
ISSUE-124: (incomplete) revise tracking status value to N/0/1/C/X
Index: tracking-dnt.html
===================================================================
RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html,v
retrieving revision 1.136
retrieving revision 1.137
diff -u -d -r1.136 -r1.137
--- tracking-dnt.html 3 Aug 2012 16:51:06 -0000 1.136
+++ tracking-dnt.html 6 Aug 2012 21:33:30 -0000 1.137
@@ -526,7 +526,7 @@
the tracking status might vary based on data within the request.
It also defines a <a>Tk</a> response header field that MAY be sent
in any HTTP response, MUST be sent in responses to requests that
- modify the tracking status for a user agent, and MAY direct the
+ modify the tracking status, and MAY direct the
user to a request-specific tracking status resource applicable to
the current request.
</p>
@@ -539,16 +539,15 @@
A <dfn>tracking status value</dfn> is a short notation for
communicating how a designated resource conforms to this protocol.
For a site-wide tracking status resource, the designated resource
- is any resource on the same origin server. For a Tk response
- header field, the resource that sent the Tk header field in response
- is the designated resource, and remains the designated resource
- for any subsequent request-specific tracking status resource
- referred to by the Tk field's status-id.
+ is any resource on the same origin server. For a <a>Tk</a> response
+ header field, the corresponding request target is the designated
+ resource and remains so for any subsequent request-specific
+ tracking status resource referred to by the <a>Tk</a> field's status-id.
</p>
<p>
Each of the response mechanisms use a common format to indicate
the tracking status for a designated resource. This
- <dfn>tracking status value</dfn> is a string of characters from a
+ <dfn>tracking status value</dfn> is a single character from a
limited set, where the meaning of each allowed character is
defined in the following table.
</p>
@@ -556,49 +555,59 @@
<tr><th>status</th>
<th>meaning</th>
</tr>
- <tr><td align="middle">N</td>
- <td>None: The designated resource does not perform tracking or
- make use of any data collected from tracking, not even for
- permitted uses.<td>
+ <tr><td align="middle"><dfn>N</dfn></td>
+ <td><strong>None</strong>: The designated resource does not
+ perform tracking or make use of any data collected from
+ tracking, not even for permitted uses.<td>
</tr>
- <tr><td align="middle">1</td>
- <td>First party: The designated resource is designed for use
- within a first-party context and conforms to the requirements
- on a first party.</td>
+ <tr><td align="middle"><dfn>1</dfn></td>
+ <td><strong>First party</strong>: The designated resource is
+ designed for use within a first-party context and conforms to
+ the requirements on a first party.</td>
</tr>
- <tr><td align="middle">3</td>
- <td>Third party: The designated resource is designed for use
- within a first-party context and conforms to the requirements
- on a third party.<td>
+ <tr><td align="middle"><dfn>3</dfn></td>
+ <td><strong>Third party</strong>: The designated resource is
+ designed for use within a first-party context and conforms to
+ the requirements on a third party.<td>
</tr>
- <tr><td align="middle">X</td>
- <td>Dynamic: The designated resource is designed for use in
- both first and third party contexts and dynamically adjusts
- tracking status accordingly.
- If this value is present in the site-wide tracking status,
- more information will be provided via the Tk response header
- field.
- If this value is present in the Tk response header field,
+ <tr><td align="middle"><dfn>X</dfn></td>
+ <td><strong>Dynamic</strong>: The designated resource is
+ designed for use in both first and third party contexts and
+ dynamically adjusts tracking status accordingly.
+ If <code>X</code> is present in the site-wide tracking status,
+ more information will be provided via the <a>Tk</a> response
+ header field when accessing the designated resource.
+ If <code>X</code> is present in the <a>Tk</a> header field,
more information will be provided in the request-specific
- tracking status resource referred to by the status-id.
- "X" MUST NOT be present in the tracking status value of
- a request-specific tracking status resource.<td>
+ tracking status resource referred to by the <a>status-id</a>.
+ An origin server MUST NOT send <code>X</code> as the
+ tracking status value in the representation of a
+ request-specific tracking status resource.<td>
</tr>
- <tr><td align="middle">S</td>
- <td>Service provider: The designated resource is operated by
- a service provider acting on behalf of the first party
- and conforms to the requirements for both a first party
- and a service provider acting as a first party.<td>
+ <tr><td align="middle"><dfn>S</dfn></td>
+ <td><strong>Service provider</strong>: The designated resource
+ is operated by a service provider acting on behalf of the
+ first party and conforms to the requirements for both a first
+ party and a service provider acting as a first party.<td>
</tr>
- <tr><td align="middle">C</td>
- <td>Consent: The designated resource believes it has received
- prior explicit and informed consent for tracking this user,
- user agent, or device, perhaps via some mechanism
- not defined by this specification, and that prior consent
- overrides the tracking preference expressed by this protocol.
- When prior consent is indicated, the tracking status object
- SHOULD include a <code><a>control</a></code> member that
- references a resource for modifying the consent.<td>
+ <tr><td align="middle"><dfn>C</dfn></td>
+ <td><strong>Consent</strong>: The designated resource believes
+ it has received prior explicit and informed consent for
+ tracking this user, user agent, or device, perhaps via some
+ mechanism not defined by this specification, and that prior
+ consent overrides the tracking preference expressed by this
+ protocol.
+ </tr>
+ <tr><td align="middle"><dfn>U</dfn></td>
+ <td><strong>Updated</strong>: The request resulted in a
+ potential change to the tracking status applicable to this
+ user, user agent, or device. If the user agent relies on a
+ cached tracking status, it SHOULD update the cache entry with
+ the current status by making a new request on the applicable
+ tracking status resource. An origin server MUST NOT send
+ <code>U</code> as a tracking status value anywhere other than
+ a <a>Tk</a> header field that is in response to a
+ state-changing request.
</tr>
</table>
<p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/137">ISSUE-137</a>: Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s)<br />
@@ -647,7 +656,7 @@
some aspect of the request (e.g., method, target URI, header
fields, data, etc.), the origin server MAY provide an additional
subtree of well-known resources corresponding to each of those
- distinct tracking statuses. The Tk response header field
+ distinct tracking statuses. The <a>Tk</a> response header field
(<a href="#response-header-field" class="sectionRef"></a>) can
include a <a>status-id</a> to indicate which specific tracking
status resource applies to the current request.
@@ -661,8 +670,8 @@
<pre>/.well-known/dnt{/status-id}</pre>
<p>
where the value of <code>status-id</code> is a string of URI-safe
- characters provided by a Tk field-value in response to a prior
- request. For example, a prior response containing
+ characters provided by a <a>Tk</a> field-value in response to a
+ prior request. For example, a prior response containing
</p>
<pre>Tk: 1;fRx42</pre>
<p>
@@ -710,8 +719,7 @@
</p>
<pre class="example">
{
- "tracking": true,
- "response": "t1",
+ "tracking": "1",
"same-party": [
"example.com",
"example_vids.net",
@@ -734,13 +742,9 @@
</p>
<p>
A <a>status-object</a> MUST have a member named
- <code><a>tracking</a></code> with a boolean value.
- A value of <code><a>false</a></code> indicates that the
- corresponding resources do not perform tracking as it is
- defined by [[!TRACKING-COMPLIANCE]].
- A value of <code><a>true</a></code> indicates that the
- corresponding resource performs tracking and claims to conform to
- all tracking compliance requirements applicable to this site.
+ <code><a>tracking</a></code> that contains a single character
+ tracking status value
+ (<a href="#tracking-status-value" class="sectionRef"></a>).
</p>
<p>
For example, the following demonstrates a minimal tracking status
@@ -748,27 +752,9 @@
perform tracking.
</p>
<pre class="example">
-{"tracking": false}
+{"tracking": "N"}
</pre>
<p>
- If <code><a>tracking</a></code> is <code><a>true</a></code>,
- the <a>status-object</a> MUST include an additional member named
- <code><a>response</a></code> and MAY include other members as
- described below.
- </p>
- <p>
- The <code></a>response</a></code> member MUST have a string value
- that indicates the status of tracking applicable specifically to
- this user in light of the received <a>DNT-field-value</a>.
- The string value begins with <code>t</code> (tracking),
- <code>n</code> (not tracking), or <code>s</code> (see the more
- specific tracking status resource),
- and MAY be followed by alphanumeric characters that indicate
- qualifiers for that status.
- The defined qualifier characters and their meanings are described
- in <a href="#status-response-value" class="sectionRef"></a>.
- </p>
- <p>
An OPTIONAL member named <code><a>same-party</a></code> MAY be
provided with an array value containing a list of domain names
that the origin server claims are the same party, to the extent
@@ -802,7 +788,9 @@
An OPTIONAL member named <code><a>control</a></code> MAY be
provided with a string value containing a URI-reference to a
resource for giving the user control over personal data collected
- by this site. Such control might include the ability to review
+ by this site; it SHOULD be provided if the tracking status value
+ indicates prior consent (<code><a>C</a></code>).
+ Such a control resource might include the ability to review
past data collected, delete some or all of the data, provide
additional data (if desired), or <q>opt-in</q>, <q>opt-out</q>,
or otherwise modify an out-of-band consent status regarding
@@ -823,8 +811,7 @@
third-party tracking status is
<pre class="example">
{
- "tracking": true,
- "response": "n",
+ "tracking": "3",
"policy": "/privacy.html",
"control": "/your/data",
}
@@ -896,7 +883,7 @@
that each such use conforms to the associated requirements.
All limitation qualifiers imply some form of tracking might
be used and thus MUST NOT be provided with a tracking status
- that begins with <code>N</code> (not tracking).
+ value of <code>N</code> (not tracking).
</p>
<p>
Future extensions to this protocol might define additional
@@ -929,9 +916,10 @@
behavior over time.
</p>
<p>
- A user agent MAY check the tracking status for a given resource
- URI by making a retrieval request for the well-known address
- </q><code>/.well-known/dnt</code></q> relative to that URI.
+ A user agent MAY check the tracking status for a designated
+ resource by making a retrieval request for the well-known address
+ </q><code>/.well-known/dnt</code></q> relative to the URI of the
+ designated resource.
</p>
<p>
If the response is an error, then the service does not implement
@@ -951,41 +939,23 @@
</p>
<p>
The <a>status-object</a> is supposed to have a member named
- <code><a>tracking</a></code> with a boolean value. If the value
- is <q>false</q>, then no tracking is performed for the URI being
- checked.
- </p>
- <p>
- Otherwise, examine
- the member named <code><a>response</a></code> to see what the
- origin server has claimed regarding the tracking status for this
- user agent in light of the received <a>DNT-field-value</a>.
- </p>
- <p>
- If the first character of the <code><a>response</a></code> value
- is "n", then the origin server claims that it will not track the
- user agent for requests on the URI being checked for at least the
- next 24 hours or until the Cache-Control information indicates
- that this response expires, as described below.
+ <code><a>tracking</a></code> containing the tracking status value.
</p>
<p>
- If the first character of the <code><a>response</a></code> value
- is "t", then the origin server claims that it might track the
- user agent for requests on the URI being checked for at least the
- next 24 hours or until the Cache-Control information indicates
- that this response expires.
+ If the tracking status value is <a>N</a>, then the origin server
+ claims that no tracking is performed for the designated resource
+ for at least the next 24 hours or until the Cache-Control
+ information indicates that this response expires.
</p>
<p>
- If the first character of the <code><a>response</a></code> value
- is "s", then the origin server has multiple tracking status
- representations and the specific one applicable to each request
- is indicated by a status-id within the Tk field-value of the
- corresponding response.
+ If the tracking status value is not <a>N</a>, then the origin
+ server claims that it might track the user agent for requests on
+ the URI being checked for at least the next 24 hours or until the
+ Cache-Control information indicates that this response expires.
</p>
<p>
- The remaining characters of the <code><a>response</a></code> value
- might indicate qualifiers for the above choices or limitations
- that the origin server will place on its tracking.
+ The meaning of each tracking status value is defined in
+ <a href="#tracking-status-value" class="sectionRef"></a>.
</p>
<p>
The others members of the <a>status-object</a> MAY be used to
@@ -1017,17 +987,18 @@
</p>
<p>
If the tracking status is only applicable to all users that have
- the same <q>DNT-field-value</q>, then either the response MUST
- include a Cache-Control header field with one of the directives
- "no-cache", "no-store", "must-revalidate", or "max-age=0", or
- the response MUST include a Vary header field that includes "DNT"
- in its field-value.
+ the same <q>DNT-field-value</q>, then the response MUST either be
+ marked with a Vary header field that includes "DNT" in its
+ field-value or marked as not reusable by a shared cache without
+ revalidation with a Cache-Control header field containing one of
+ the following directives: "private", "no-cache", "no-store", or
+ "max-age=0".
</p>
<p>
If the tracking status is only applicable to the specific user
- that requested it, then the response MUST include a
- Cache-Control header field with one of the directives "no-cache",
- "no-store", "must-revalidate", or "max-age=0".
+ that requested it, then the response MUST include a Cache-Control
+ header field containing one of the following directives:
+ "private", "no-cache", or "no-store".
</p>
<p>
Regardless of the cache-control settings, it is expected that
@@ -1043,7 +1014,7 @@
of tracking status, relying on cached tracking status responses
to do so, SHOULD check responses to its state-changing requests
(e.g., POST, PUT, DELETE, etc.) for a <a>Tk</a> header field
- with the <a>update-needed</a> field-value, as described in
+ with the <a>U</a> tracking status value, as described in
<a href="#interactive-status-change" class="sectionRef"></a>.
</p>
</section>
@@ -1060,7 +1031,7 @@
<pre class="abnf">
<dfn>status-object</dfn> = begin-object member-list end-object
<dfn>member-list</dfn> = tracking ns tracking-v
- [ vs response ns response-v ]
+ [ vs uses ns uses-v ]
[ vs same-party ns same-party-v ]
[ vs partners ns partners-v ]
[ vs audit ns audit-v ]
@@ -1069,26 +1040,26 @@
*( vs extension )
<dfn>tracking</dfn> = %x22 "tracking" %x22
-<dfn>tracking-v</dfn> = true / false
-
-<dfn>response</dfn> = %x22 "response" %x22
-<dfn>response-v</dfn> = %x22 <a>r-codes</a> %x22
+<dfn>tracking-v</dfn> = "1" ; "1" — first-party
+ / "3" ; "3" — third-party
+ / %x43 ; "C" - consent
+ / %x4E ; "N" - none
+ / %x53 ; "S" - service provider
+ / %x55 ; "U" - updated
+ / %x58 ; "X" - dynamic
-<dfn>r-codes</dfn> = (%x74 / %x6E / %x73) *qualifier
+<dfn>uses</dfn> = %x22 "uses" %x22
+<dfn>uses-v</dfn> = %x22 *<a>qualifier</a> %x22
-<dfn>qualifier</dfn> = "1" ; "1" — first-party
- / "3" ; "3" — third-party
- / %x61 ; "a" — audit
+<dfn>qualifier</dfn> = %x61 ; "a" — audit
/ %x63 ; "c" — ad frequency capping
/ %x66 ; "f" — fraud prevention
/ %x6C ; "l" — local law, rule, or regulation
- / %x70 ; "p" — prior consent
/ %x72 ; "r" — referrals
/ ext-qualifier
-<dfn>ext-qualifier</dfn> = %x2D-2E / "0" / "2" / %x34-39 / %x5F
- / %x62 / %x64-65 / %x67-6B / %x6D / %x6F
- / %x71 / %x75-7A
+<dfn>ext-qualifier</dfn> = %x2D-2E / %x30-39 / %x5F / %x62
+ / %x64-65 / %x67-6B / %x6D-71 / %x73-7A
<dfn>same-party</dfn> = %x22 "same-party" %x22
<dfn>same-party-v</dfn> = array-of-strings
@@ -1161,7 +1132,7 @@
<h4>Indicating Tracking Design</h4>
<p>
- The Tk field-value begins with a single character
+ The <a>Tk</a> field-value begins with a single character
<a>tracking-design</a> that indicates how the target resource
conforms to [[!TRACKING-COMPLIANCE]]. We refer to this as the
tracking design because it reflects only how the resource is
@@ -1246,7 +1217,7 @@
fields, data, etc.), the origin server MAY provide an additional
subtree of well-known resources corresponding to each of those
distinct tracking statuses. The OPTIONAL <a>status-id</a> portion
- of the Tk field-value indicates which specific tracking
+ of the <a>Tk</a> field-value indicates which specific tracking
status resource applies to the current request.
</p>
<p>
Received on Monday, 6 August 2012 21:33:34 UTC