- From: Rob van Eijk <rob@blaeu.com>
- Date: Sun, 13 Nov 2011 19:10:02 +0100
- To: public-tracking@w3.org
- Message-ID: <4EC007FA.5010007@blaeu.com>
The whole idea of developing a DNT protocol that will be handled by the browser, is that it may superseed the same-origin on which current header behavior is based. That is part of the out of the box thinking exercise. For requests like a tracking pices, the browser should have control over the headers sent to the 3rd party. -- Rob On 11-11-2011 2:06, Kevin Smith wrote: > > For requests like a tracking pixel, the 1^st party does not have any > control over the headers sent to the 3^rd party. That request is made > by the browser. It's possible that the 1^st party could somehow > signal to the browser that the existing user has opted back in, then > the browser could automatically add the override header, but that > seems pretty complicated. However, my guess is that opt in will often > be cookie based, and the communication will happen at opt-in time by > the 1^st party making a call to the 3^rd party allowing the 3^rd party > to set their own cookies and therefore not need any special > communication at subsequent requests. > > *From:*Peter Eckersley [mailto:peter.eckersley@gmail.com] > *Sent:* Wednesday, November 09, 2011 11:20 AM > *To:* Tracking Protection Working Group WG > *Subject:* [ACTION-20] First parties signaling exceptions to third parties > > Some possible language to consider: > > First parties sometimes have active exceptions to DNT. For instance, > a user > on the New York Times site may have logged in and knowingly opted back > in to > being tracked by third parties while reading the New York Times site. > In such a > case, the first party needs a way to signal to the third parties that, > for these > particular requests, an exception is overriding the DNT: 1 header that the > user's browser is sending. > > If a first party wishes to signal to a third party that there is an active > exception to DNT, the first party MUST indicate this with a request > parameter > "dnt-override=" with a non-null value (eg, "dnt-override=1", > "dnt-override=user logged in", "dnt-override=retain for 1 week", > etc). This > parameter may be set as a URI query parameter, a URI fragment > parameter, or an > HTTP POST parameter. > > A webserver receiving a request with the "dnt-override=" parameter with a > value of "1" MAY disregard a DNT: 1 header that it simultaneously > receives from the client. However if it does so, it MUST send the > Tracking: 1 > response header to the client. > > First parties and third parties MAY agree to additional semantics for > values of > the dnt-override parameter other than 1 or null. If a third party > receives a > value for "dnt-override" where such an agreement and implementation is > not in > place, it MUST send Tracking: 0 to the client, and ignore the dnt-override > parameter. > > -- > Peter >
Received on Sunday, 13 November 2011 18:12:18 UTC