Re: "cross-site"

Le 17 nov. 2011 à 10:22, Shane Wiley a écrit :
> This statement is an attempt to remove the concern that a 1st party, which will mostly likely not be subject to the DNT signal, does not have a backdoor opportunity to pass user data directly to a 3rd party (aka - closing a loop-hole).  3rd parties present on the 1st party's web site should honor the DNT signal directly.

hmmm… but from an HTTP request point of view everyone is 
a first party except if the client sends an HTTP referer [1], [2] 
(which is not mandatory) and can be often ignored.

/me is really trying hard to understand how it is supposed to work 
and be implementable.


So I restart:

1. User agent (client, a piece of software) send an HTTP request for 
   http://www.example.org/foo (1st party) with the HTTP header "DNT:1"

2. the server at www.example.org sends a representation (document) 
   for http://www.example.org/foo and log the request

3. the user agent parses the document and sees there are other links.
   for example a link to http://stats.example.com/blah

4. the user agent sends an HTTP request for http://stats.example.com/blah
   with the HTTP header "DNT:1"

5. the server at stats.example.com sends a representation (document) 
   for http://stats.example.com/blah and log the request


There is *no way* for stats.example.com to know that the HTTP request 
is made because of the initial request on http://www.example.org/foo
EXCEPT if the client sends a "Referer:" HTTP header.
(these are quite broken and used for spams heavily)

The way http://stats.example.com/blah might know about it is because of

* sessionId in URIs - evil, bad architectural design
* cookies or other local storage mechanisms
* tainted uris with parameters and or hash signs
* Browser fingerprinting


[1]: http://en.wikipedia.org/wiki/Referer
[2]: http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-17#section-9.7



-- 
Karl Dubost - http://dev.opera.com/
Developer Relations & Tools, Opera Software

Received on Thursday, 17 November 2011 16:11:48 UTC