- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Fri, 18 Nov 2011 07:51:38 +0100
- To: Karl Dubost <karld@opera.com>
- Cc: <public-tracking@w3.org>
* Karl Dubost wrote: >There is *no way* for stats.example.com to know that the HTTP request >is made because of the initial request on http://www.example.org/foo >EXCEPT if the client sends a "Referer:" HTTP header. >(these are quite broken and used for spams heavily) If you want to be DNT compliant, then you should separate the services you yourself use as first party and the services you offer to third parties; that way you can tell by looking at what the requests are for and ignore where they are from, other than monitoring for hot linking and things like that. If you don't want to do that, your other options are treating first party DNT users the same as third party DNT users, or simply don't claim DNT compliance. >The way http://stats.example.com/blah might know about it is because of > >* sessionId in URIs - evil, bad architectural design >* cookies or other local storage mechanisms >* tainted uris with parameters and or hash signs >* Browser fingerprinting If I understand you correctly, I believe the third option is used on http://validator.w3.org/ to betray details of your visit to "flattr". -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 18 November 2011 06:52:10 UTC