- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sat, 19 Nov 2011 00:33:34 +0100
- To: Karl Dubost <karld@opera.com>
- Cc: <public-tracking@w3.org>
* Karl Dubost wrote: >On http://validator.w3.org/, when accessing. > >The flattr toolbox is generated by this script on W3C site >http://www.w3.org/QA/Tools/don_prog.js > >This script generates another call to >http://api.flattr.com/js/0.6/load.js?mode=auto > >which itself generates markup an iframe from >http://api.flattr.com/button/view Yes, I was specifically referring to the fact that the parameters to that include the validator.w3.org host name. If "flattr" was to use its own service as a first party, they would not use that name, so by virtue of the presence of the parameter value, they can conclude they are not first party. Since you didn't call that out, I am not sure if you consider the inclusion of the host name in the address to be a case of "tainted" addresses. >Another thing to notice. W3C would not know programmatically if the user >is tracked or not, because it is an iframe, in case flattr would change >its policy. The tainted URIs are not created by W3C either and the >cookies are not in the W3C domain but flattr.com. Yes, and if you consider putting some Valid XHTML badge on your page, you also cannot programmatically determine if the W3C is tracking the users of your site if you reference the image from w3.org rather than using a local copy, unless you infer that from the P3P policy, which is probably not a viable option as P3P does not have many features to express data minimization techniques which may be subject to complex rules that are difficult to capture in a machine readable format. The Working Group seems unlikely to materially change that by January. >It is why I try to understand how that would be working on all sides >with a DNT:1 > >* user >* browser >* 1st party (here W3C) >* 3rd party (flattr.com) Perhaps an example helps: "flattr" offers static and dynamic versions of their button. The Validator uses the dynamic one that shows you a counter value. The static version can be hosted locally, so "flattr" would not learn of your visit to validator.w3.org unless you click on the button. I would expect the W3C to modify the "flattr" embedding script so it uses the static version for users sending the DNT signal, so they cannot be tracked by "flattr". The only loss in functionality would be that users who want to know the counter value have to click on the button, so this is a very easy way to (partially) honour the user's wish. My impression though is that you seem to see a more fundamental pro- blem with the "do not track" concept, but I could not make out where you are coming from so far. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Friday, 18 November 2011 23:34:05 UTC