- From: Roy Fielding via cvs-syncmail <cvsmail@w3.org>
- Date: Mon, 06 Aug 2012 21:33:32 +0000
- To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts In directory hutz:/tmp/cvs-serv19175 Modified Files: tracking-dnt.html Log Message: ISSUE-124: (incomplete) revise tracking status value to N/0/1/C/X Index: tracking-dnt.html =================================================================== RCS file: /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html,v retrieving revision 1.136 retrieving revision 1.137 diff -u -d -r1.136 -r1.137 --- tracking-dnt.html 3 Aug 2012 16:51:06 -0000 1.136 +++ tracking-dnt.html 6 Aug 2012 21:33:30 -0000 1.137 @@ -526,7 +526,7 @@ the tracking status might vary based on data within the request. It also defines a <a>Tk</a> response header field that MAY be sent in any HTTP response, MUST be sent in responses to requests that - modify the tracking status for a user agent, and MAY direct the + modify the tracking status, and MAY direct the user to a request-specific tracking status resource applicable to the current request. </p> @@ -539,16 +539,15 @@ A <dfn>tracking status value</dfn> is a short notation for communicating how a designated resource conforms to this protocol. For a site-wide tracking status resource, the designated resource - is any resource on the same origin server. For a Tk response - header field, the resource that sent the Tk header field in response - is the designated resource, and remains the designated resource - for any subsequent request-specific tracking status resource - referred to by the Tk field's status-id. + is any resource on the same origin server. For a <a>Tk</a> response + header field, the corresponding request target is the designated + resource and remains so for any subsequent request-specific + tracking status resource referred to by the <a>Tk</a> field's status-id. </p> <p> Each of the response mechanisms use a common format to indicate the tracking status for a designated resource. This - <dfn>tracking status value</dfn> is a string of characters from a + <dfn>tracking status value</dfn> is a single character from a limited set, where the meaning of each allowed character is defined in the following table. </p> @@ -556,49 +555,59 @@ <tr><th>status</th> <th>meaning</th> </tr> - <tr><td align="middle">N</td> - <td>None: The designated resource does not perform tracking or - make use of any data collected from tracking, not even for - permitted uses.<td> + <tr><td align="middle"><dfn>N</dfn></td> + <td><strong>None</strong>: The designated resource does not + perform tracking or make use of any data collected from + tracking, not even for permitted uses.<td> </tr> - <tr><td align="middle">1</td> - <td>First party: The designated resource is designed for use - within a first-party context and conforms to the requirements - on a first party.</td> + <tr><td align="middle"><dfn>1</dfn></td> + <td><strong>First party</strong>: The designated resource is + designed for use within a first-party context and conforms to + the requirements on a first party.</td> </tr> - <tr><td align="middle">3</td> - <td>Third party: The designated resource is designed for use - within a first-party context and conforms to the requirements - on a third party.<td> + <tr><td align="middle"><dfn>3</dfn></td> + <td><strong>Third party</strong>: The designated resource is + designed for use within a first-party context and conforms to + the requirements on a third party.<td> </tr> - <tr><td align="middle">X</td> - <td>Dynamic: The designated resource is designed for use in - both first and third party contexts and dynamically adjusts - tracking status accordingly. - If this value is present in the site-wide tracking status, - more information will be provided via the Tk response header - field. - If this value is present in the Tk response header field, + <tr><td align="middle"><dfn>X</dfn></td> + <td><strong>Dynamic</strong>: The designated resource is + designed for use in both first and third party contexts and + dynamically adjusts tracking status accordingly. + If <code>X</code> is present in the site-wide tracking status, + more information will be provided via the <a>Tk</a> response + header field when accessing the designated resource. + If <code>X</code> is present in the <a>Tk</a> header field, more information will be provided in the request-specific - tracking status resource referred to by the status-id. - "X" MUST NOT be present in the tracking status value of - a request-specific tracking status resource.<td> + tracking status resource referred to by the <a>status-id</a>. + An origin server MUST NOT send <code>X</code> as the + tracking status value in the representation of a + request-specific tracking status resource.<td> </tr> - <tr><td align="middle">S</td> - <td>Service provider: The designated resource is operated by - a service provider acting on behalf of the first party - and conforms to the requirements for both a first party - and a service provider acting as a first party.<td> + <tr><td align="middle"><dfn>S</dfn></td> + <td><strong>Service provider</strong>: The designated resource + is operated by a service provider acting on behalf of the + first party and conforms to the requirements for both a first + party and a service provider acting as a first party.<td> </tr> - <tr><td align="middle">C</td> - <td>Consent: The designated resource believes it has received - prior explicit and informed consent for tracking this user, - user agent, or device, perhaps via some mechanism - not defined by this specification, and that prior consent - overrides the tracking preference expressed by this protocol. - When prior consent is indicated, the tracking status object - SHOULD include a <code><a>control</a></code> member that - references a resource for modifying the consent.<td> + <tr><td align="middle"><dfn>C</dfn></td> + <td><strong>Consent</strong>: The designated resource believes + it has received prior explicit and informed consent for + tracking this user, user agent, or device, perhaps via some + mechanism not defined by this specification, and that prior + consent overrides the tracking preference expressed by this + protocol. + </tr> + <tr><td align="middle"><dfn>U</dfn></td> + <td><strong>Updated</strong>: The request resulted in a + potential change to the tracking status applicable to this + user, user agent, or device. If the user agent relies on a + cached tracking status, it SHOULD update the cache entry with + the current status by making a new request on the applicable + tracking status resource. An origin server MUST NOT send + <code>U</code> as a tracking status value anywhere other than + a <a>Tk</a> header field that is in response to a + state-changing request. </tr> </table> <p class="issue"><a href="http://www.w3.org/2011/tracking-protection/track/issues/137">ISSUE-137</a>: Does hybrid tracking status need to distinguish between first party (1) and outsourcing service provider acting as a first party (s)<br /> @@ -647,7 +656,7 @@ some aspect of the request (e.g., method, target URI, header fields, data, etc.), the origin server MAY provide an additional subtree of well-known resources corresponding to each of those - distinct tracking statuses. The Tk response header field + distinct tracking statuses. The <a>Tk</a> response header field (<a href="#response-header-field" class="sectionRef"></a>) can include a <a>status-id</a> to indicate which specific tracking status resource applies to the current request. @@ -661,8 +670,8 @@ <pre>/.well-known/dnt{/status-id}</pre> <p> where the value of <code>status-id</code> is a string of URI-safe - characters provided by a Tk field-value in response to a prior - request. For example, a prior response containing + characters provided by a <a>Tk</a> field-value in response to a + prior request. For example, a prior response containing </p> <pre>Tk: 1;fRx42</pre> <p> @@ -710,8 +719,7 @@ </p> <pre class="example"> { - "tracking": true, - "response": "t1", + "tracking": "1", "same-party": [ "example.com", "example_vids.net", @@ -734,13 +742,9 @@ </p> <p> A <a>status-object</a> MUST have a member named - <code><a>tracking</a></code> with a boolean value. - A value of <code><a>false</a></code> indicates that the - corresponding resources do not perform tracking as it is - defined by [[!TRACKING-COMPLIANCE]]. - A value of <code><a>true</a></code> indicates that the - corresponding resource performs tracking and claims to conform to - all tracking compliance requirements applicable to this site. + <code><a>tracking</a></code> that contains a single character + tracking status value + (<a href="#tracking-status-value" class="sectionRef"></a>). </p> <p> For example, the following demonstrates a minimal tracking status @@ -748,27 +752,9 @@ perform tracking. </p> <pre class="example"> -{"tracking": false} +{"tracking": "N"} </pre> <p> - If <code><a>tracking</a></code> is <code><a>true</a></code>, - the <a>status-object</a> MUST include an additional member named - <code><a>response</a></code> and MAY include other members as - described below. - </p> - <p> - The <code></a>response</a></code> member MUST have a string value - that indicates the status of tracking applicable specifically to - this user in light of the received <a>DNT-field-value</a>. - The string value begins with <code>t</code> (tracking), - <code>n</code> (not tracking), or <code>s</code> (see the more - specific tracking status resource), - and MAY be followed by alphanumeric characters that indicate - qualifiers for that status. - The defined qualifier characters and their meanings are described - in <a href="#status-response-value" class="sectionRef"></a>. - </p> - <p> An OPTIONAL member named <code><a>same-party</a></code> MAY be provided with an array value containing a list of domain names that the origin server claims are the same party, to the extent @@ -802,7 +788,9 @@ An OPTIONAL member named <code><a>control</a></code> MAY be provided with a string value containing a URI-reference to a resource for giving the user control over personal data collected - by this site. Such control might include the ability to review + by this site; it SHOULD be provided if the tracking status value + indicates prior consent (<code><a>C</a></code>). + Such a control resource might include the ability to review past data collected, delete some or all of the data, provide additional data (if desired), or <q>opt-in</q>, <q>opt-out</q>, or otherwise modify an out-of-band consent status regarding @@ -823,8 +811,7 @@ third-party tracking status is <pre class="example"> { - "tracking": true, - "response": "n", + "tracking": "3", "policy": "/privacy.html", "control": "/your/data", } @@ -896,7 +883,7 @@ that each such use conforms to the associated requirements. All limitation qualifiers imply some form of tracking might be used and thus MUST NOT be provided with a tracking status - that begins with <code>N</code> (not tracking). + value of <code>N</code> (not tracking). </p> <p> Future extensions to this protocol might define additional @@ -929,9 +916,10 @@ behavior over time. </p> <p> - A user agent MAY check the tracking status for a given resource - URI by making a retrieval request for the well-known address - </q><code>/.well-known/dnt</code></q> relative to that URI. + A user agent MAY check the tracking status for a designated + resource by making a retrieval request for the well-known address + </q><code>/.well-known/dnt</code></q> relative to the URI of the + designated resource. </p> <p> If the response is an error, then the service does not implement @@ -951,41 +939,23 @@ </p> <p> The <a>status-object</a> is supposed to have a member named - <code><a>tracking</a></code> with a boolean value. If the value - is <q>false</q>, then no tracking is performed for the URI being - checked. - </p> - <p> - Otherwise, examine - the member named <code><a>response</a></code> to see what the - origin server has claimed regarding the tracking status for this - user agent in light of the received <a>DNT-field-value</a>. - </p> - <p> - If the first character of the <code><a>response</a></code> value - is "n", then the origin server claims that it will not track the - user agent for requests on the URI being checked for at least the - next 24 hours or until the Cache-Control information indicates - that this response expires, as described below. + <code><a>tracking</a></code> containing the tracking status value. </p> <p> - If the first character of the <code><a>response</a></code> value - is "t", then the origin server claims that it might track the - user agent for requests on the URI being checked for at least the - next 24 hours or until the Cache-Control information indicates - that this response expires. + If the tracking status value is <a>N</a>, then the origin server + claims that no tracking is performed for the designated resource + for at least the next 24 hours or until the Cache-Control + information indicates that this response expires. </p> <p> - If the first character of the <code><a>response</a></code> value - is "s", then the origin server has multiple tracking status - representations and the specific one applicable to each request - is indicated by a status-id within the Tk field-value of the - corresponding response. + If the tracking status value is not <a>N</a>, then the origin + server claims that it might track the user agent for requests on + the URI being checked for at least the next 24 hours or until the + Cache-Control information indicates that this response expires. </p> <p> - The remaining characters of the <code><a>response</a></code> value - might indicate qualifiers for the above choices or limitations - that the origin server will place on its tracking. + The meaning of each tracking status value is defined in + <a href="#tracking-status-value" class="sectionRef"></a>. </p> <p> The others members of the <a>status-object</a> MAY be used to @@ -1017,17 +987,18 @@ </p> <p> If the tracking status is only applicable to all users that have - the same <q>DNT-field-value</q>, then either the response MUST - include a Cache-Control header field with one of the directives - "no-cache", "no-store", "must-revalidate", or "max-age=0", or - the response MUST include a Vary header field that includes "DNT" - in its field-value. + the same <q>DNT-field-value</q>, then the response MUST either be + marked with a Vary header field that includes "DNT" in its + field-value or marked as not reusable by a shared cache without + revalidation with a Cache-Control header field containing one of + the following directives: "private", "no-cache", "no-store", or + "max-age=0". </p> <p> If the tracking status is only applicable to the specific user - that requested it, then the response MUST include a - Cache-Control header field with one of the directives "no-cache", - "no-store", "must-revalidate", or "max-age=0". + that requested it, then the response MUST include a Cache-Control + header field containing one of the following directives: + "private", "no-cache", or "no-store". </p> <p> Regardless of the cache-control settings, it is expected that @@ -1043,7 +1014,7 @@ of tracking status, relying on cached tracking status responses to do so, SHOULD check responses to its state-changing requests (e.g., POST, PUT, DELETE, etc.) for a <a>Tk</a> header field - with the <a>update-needed</a> field-value, as described in + with the <a>U</a> tracking status value, as described in <a href="#interactive-status-change" class="sectionRef"></a>. </p> </section> @@ -1060,7 +1031,7 @@ <pre class="abnf"> <dfn>status-object</dfn> = begin-object member-list end-object <dfn>member-list</dfn> = tracking ns tracking-v - [ vs response ns response-v ] + [ vs uses ns uses-v ] [ vs same-party ns same-party-v ] [ vs partners ns partners-v ] [ vs audit ns audit-v ] @@ -1069,26 +1040,26 @@ *( vs extension ) <dfn>tracking</dfn> = %x22 "tracking" %x22 -<dfn>tracking-v</dfn> = true / false - -<dfn>response</dfn> = %x22 "response" %x22 -<dfn>response-v</dfn> = %x22 <a>r-codes</a> %x22 +<dfn>tracking-v</dfn> = "1" ; "1" — first-party + / "3" ; "3" — third-party + / %x43 ; "C" - consent + / %x4E ; "N" - none + / %x53 ; "S" - service provider + / %x55 ; "U" - updated + / %x58 ; "X" - dynamic -<dfn>r-codes</dfn> = (%x74 / %x6E / %x73) *qualifier +<dfn>uses</dfn> = %x22 "uses" %x22 +<dfn>uses-v</dfn> = %x22 *<a>qualifier</a> %x22 -<dfn>qualifier</dfn> = "1" ; "1" — first-party - / "3" ; "3" — third-party - / %x61 ; "a" — audit +<dfn>qualifier</dfn> = %x61 ; "a" — audit / %x63 ; "c" — ad frequency capping / %x66 ; "f" — fraud prevention / %x6C ; "l" — local law, rule, or regulation - / %x70 ; "p" — prior consent / %x72 ; "r" — referrals / ext-qualifier -<dfn>ext-qualifier</dfn> = %x2D-2E / "0" / "2" / %x34-39 / %x5F - / %x62 / %x64-65 / %x67-6B / %x6D / %x6F - / %x71 / %x75-7A +<dfn>ext-qualifier</dfn> = %x2D-2E / %x30-39 / %x5F / %x62 + / %x64-65 / %x67-6B / %x6D-71 / %x73-7A <dfn>same-party</dfn> = %x22 "same-party" %x22 <dfn>same-party-v</dfn> = array-of-strings @@ -1161,7 +1132,7 @@ <h4>Indicating Tracking Design</h4> <p> - The Tk field-value begins with a single character + The <a>Tk</a> field-value begins with a single character <a>tracking-design</a> that indicates how the target resource conforms to [[!TRACKING-COMPLIANCE]]. We refer to this as the tracking design because it reflects only how the resource is @@ -1246,7 +1217,7 @@ fields, data, etc.), the origin server MAY provide an additional subtree of well-known resources corresponding to each of those distinct tracking statuses. The OPTIONAL <a>status-id</a> portion - of the Tk field-value indicates which specific tracking + of the <a>Tk</a> field-value indicates which specific tracking status resource applies to the current request. </p> <p>
Received on Monday, 6 August 2012 21:33:34 UTC