W3C home > Mailing lists > Public > public-tracking-commit@w3.org > December 2014

CVS WWW/2011/tracking-protection/drafts

From: CVS User dsinger2 <cvsmail@w3.org>
Date: Wed, 10 Dec 2014 01:20:23 +0000
Message-Id: <E1XyVx1-0001Dl-8i@gil.w3.org>
To: public-tracking-commit@w3.org
Update of /w3ccvs/WWW/2011/tracking-protection/drafts
In directory gil:/tmp/cvs-serv4693

Modified Files:
	tracking-dnt.html 
Log Message:
Add exception expiry and address last-call comments

--- /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html	2014/12/05 19:18:49	1.275
+++ /w3ccvs/WWW/2011/tracking-protection/drafts/tracking-dnt.html	2014/12/10 01:20:23	1.276
@@ -497,13 +497,13 @@
         <h3>JavaScript Property to Detect Preference</h3>
           <p>
             The <code>doNotTrack</code> property enables a client-side script
-            with read access to the Window object to determine what <a>DNT</a>
+            with read access to the Navigator object to determine what <a>DNT</a>
             header field value would be sent in requests to the
             document-origin, taking into account the user's general preference
             (if any) and any user-granted exceptions applicable to that
             origin server.
           </p>
-          <dl class="idl" title='partial interface Window'>
+          <dl class="idl" title='partial interface Navigator'>
             <dt>readonly attribute DOMString? doNotTrack</dt>
             <dd>Returns the same string value that would be sent in a
               <a>DNT-field-value</a>
@@ -515,6 +515,12 @@
               sent (e.g., because a tracking preference is <a>not enabled</a>).
             </dd>
           </dl>
+          <p class="note">
+            Note that the value includes not only the "0" or "1", but also
+            any DNT-extension; if no DNT header is sent, the return value is 
+            <code>null</code>, not an empty string (which would indicate that
+            a header is sent with no <a>DNT-field-value</a>).
+          </p> 
       </section>
 
       <section id='other-protocols'>
@@ -1549,17 +1555,12 @@
             specification, we define three terms:
           </p>
           <ul>
-            <li><strong>top-level origin</strong> is the domain name
-              of the top-level document origin of this DOM: essentially the
-              fully qualified domain name in the address bar.</li>
-            <li>A <strong>target</strong> site is a domain name which is the
-              target of an HTTP request, and which may be an origin for
-              embedded resources on <strong>the indicated top-level
-              origin</strong>.</li>
-            <li>The <strong>document origin</strong> of a script is the domain
-              of origin of the document that caused that script to be loaded
-              (not necessarily the same as the origin of the script
-              itself).</li>
+            <li><strong>top-level origin</strong> is a <strong>top-level
+              browsing context</strong> as defined in [[!HTML5]]</li>
+              <li>A <strong>target</strong> site is the Host part of an HTTP
+              URL as defined in [[!RFC3986]]</li>
+            <li>The <strong>document origin</strong> of a script is the
+            <strong>effective script origin</strong> as defined in [[!HTML5]]</li>
           </ul>
           <p>
              For instance, if the document at
@@ -1671,13 +1672,24 @@
           </dl>
           <dl class="idl" title="dictionary StoreExceptionPropertyBag">
               <dt>DOMString? domain</dt>
-              <dd>Cookie-like domain string to which the exception applies.</dd>
+              <dd>a cookie-domain as defined in [[!RFC6265]],
+                  to which the exception applies.</dd>
               <dt>DOMString? siteName</dt>
               <dd>A user-readable string for the name of the top-level origin.</dd>
               <dt>DOMString? explanationString</dt>
               <dd>A short explanation of the request.</dd>
               <dt>DOMString? detailURI</dt>
-              <dd>A location at which further information about this request can be found.</dd>
+              <dd>A location at which further information about this request can 
+              be found.</dd>
+              <dt>DOMString? expires</dt>
+              <dd>
+                    A date and time, encoded as described for the cookie
+                    <code>Expires</code> attribute described in [[RFC6265]], 
+                    indicating the maximum lifetime of the remembered grant.
+              </dd>
+              <dt>long? maxAge</dt>
+              <dd>A positive number of seconds indicating the maximum lifetime of 
+                the remembered grant.</dd>
           </dl>
           <dl class="idl" title="dictionary StoreSiteSpecificExceptionPropertyBag : StoreExceptionPropertyBag">
               <dt>sequence&lt;DOMString&gt; arrayOfDomainStrings</dt>
@@ -1770,6 +1782,29 @@
             header &mdash; is only valid immediately, and users may choose to 
             edit the list of stored exceptions and revoke some or all of them.
           </p>
+            <p>
+                If <code>expires</code> is supplied and not null or empty the 
+                remembered grant will be cancelled (i.e. processed as if the relevant
+                Cancel API had been called) no later than the specified date and time.
+                After this the database of remembered grants will no longer contain 
+                any duplets for which the first part is the current
+                document origin; i.e., no duplets <code>
+                    [document-origin,
+                    target]
+                </code> for any target.
+            </p>
+            <p>
+                If <code>maxAge</code> is supplied and not null, empty or negative 
+                the remembered grant will be cancelled (i.e. processed as if the 
+                relevant Cancel API had been called) no later than
+                the specified number of seconds following the grant. 
+            </p>
+            <p>
+                If both <code>maxAge</code> and <code>expires</code> are supplied,
+                <code>maxAge</code> has precedence.
+                If neither <code>maxAge</code> or <code>expires</code> are supplied, the
+                user agent MAY retain the remembered grant until it is cancelled.
+            </p>
         </section>
 
         <section id="exceptions-javascript-api-cancel">
@@ -1803,7 +1838,8 @@
           </dl>
           <dl class="idl" title="dictionary RemoveExceptionPropertyBag">
               <dt>DOMString? domain</dt>
-              <dd>Cookie-like domain string to which the exception applies.</dd>
+              <dd>a cookie-domain as defined in [[!RFC6265]],
+                  to which the exception applies.</dd>
           </dl>
           <p> When this method returns the database of grants no longer contains
           the indicated grant(s); if some kind of processing error occurred then
@@ -1830,7 +1866,8 @@
           </dl>
           <dl class="idl" title="dictionary ConfirmExceptionPropertyBag">
               <dt>DOMString? domain</dt>
-              <dd>Cookie-like domain string to which the exception applies.</dd>
+              <dd>a cookie-domain as defined in [[!RFC6265]],
+                  to which the exception applies.</dd>
           </dl>
           <dl class="idl" title="dictionary ConfirmSiteSpecificExceptionPropertyBag : ConfirmExceptionPropertyBag">
               <dt>sequence&lt;DOMString&gt; arrayOfDomainStrings</dt>
@@ -2043,6 +2080,8 @@
           user-interface to see and edit the database of recorded exception grants.
           The API parameters siteName, explanationString, and detailURI are
           provided so that the user agent may use them in their user interface.
+          If user-agents present this to the user, it should be clear that
+          they are claims by the site, and might be written to mislead.
         </p>
         <p>
           A user agent that chooses to highlight when tracking exceptions have been 
@@ -2151,8 +2190,14 @@
 		 their mind, and allow the store to proceed but then later ask it be 
 		 removed, or even by denying the storage in the first place.
 		</p>
+		
+		<p>Nonetheless, at the time of the call the site has acquired the user's
+		  consent, and can proceed on that basis, whether or not the user-agent
+		  has stored the exception immediately. It is not necessary to call the
+		  confirm API at the time of consent.</p>
 
-		<p>Sites can call the 'Confirm' APIs to enquire whether a specific 
+		<p>On other visits, sites can call the 'Confirm' APIs to enquire whether 
+		 a specific 
 		 exception has been granted and stands in the user agent. This is the call 
 		 to make to determine whether the exception exists, and hence to control 
 		 access to the function or operation;  if it fails (the exception has been 
Received on Wednesday, 10 December 2014 01:20:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:48:57 UTC