Re: tainted uris in document and HTTP redirection from Aleecia M. McDonald on 2011-11-22 (public-tracking@w3.org from November 2011)

From: Aleecia M. McDonald <aleecia@aleecia.com>
Date: Tue, 22 Nov 2011 14:07:44 -0800
To: "(public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <AC719383-1936-4E2B-B324-753F0D194925@aleecia.com>
This is a great example. Thanks for sending it along in beautifully well-documented detail. I think this is the sort of thing we are actually in fairly good shape to deal with, so I would like to see if my understanding is wrong some places.  

On Nov 22, 2011, at 6:27 AM, Karl Dubost wrote:

[…]
> Here an hotel site, when requesting the URI, we receive a document creating a redirection at the document level, NOT HTTP.

From a DNT perspective, does it matter where or how the redirect happens? I do not think so. 

> % curl http://www.nynyhotel.com/

Ok, so here's the expected first party: our user Karl makes the choice to visit the first party nynyhotel.com. 

[…headers snipped…]

> <html>
>    <head>
>    <meta http-equiv="refresh" content="0;url=http://clk.atdmt.com/MGM/go/kwbngmgm0010016098mgm/direct/01/?kbid=34362&m=619"> 
> <title>New York New York Hotel & Casino</title>
> </head>
> <body bgcolor="#000000">
> </body>
> </html>
> 
> 
> It creates a redirection without triggering a user choice. If we try to fetch this URI. We are redirected to a third site. This time at the HTTP level only. Go figure.

I don't see that user choice is particularly at issue here. Yes, redirection happens even if a user does not want it to happen. But that's not a problem we're trying to solve (and there are add ons that do: I had to manually allow the redirects a few times while testing this out). What we're trying to address is that all of these layers of redirection should not treat data as lightly as if they were taking the DNT first party path. Here we have clk.atdmt.com, and some more information that suggests NY NY Hotel is owned by MGM, hinting that co-branding works for advertising models in some places already. :-) 

So let's look at clk.atdmt.com and see if there is any business reason they might mistakenly think they are a first party. LiveHTTPHeaders doesn't show anything fancy. The <title> seems to document the page well: "(GIF Image, 1x1 pixels)". https://www.atdmt.com/ redirects to http://www.atlassolutions.com/

I would bet that Microsoft knows *.atdmt.com is not acting in a first party context, any time any of the *.atdmt content is loaded. This seems amazingly straight-forward from the business side. What we have here is a third party that knows it is a third party, by the very nature of what it does.

> %curl -sI "http://clk.atdmt.com/MGM/go/kwbngmgm0010016098mgm/direct/01/?kbid=34362&m=619"
> 
> HTTP/1.1 302 Object moved
> Cache-Control: no-store
> Content-Length: 0
> Expires: 0
> Location: http://www.newyorknewyork.com/?kbid=34362&m=619

[…snip…]

Again we have clk.atdmt.com, which knows from the business side that it should not claim to be a first party. And then the final redirect -

> Let's try to fetch that. This time we receive the content.
> 
> % curl -sI "http://www.newyorknewyork.com/?kbid=34362&m=619"
> 
> HTTP/1.1 200 OK

[…snip…]

Yep. So here we have newyorknewyork.com, which matches the user's expectation of where they were trying to visit in the first place, and the URL even has some information passed to it that might actually help the site to know it was at the end of a redirect chain and is acting in a first party context. But more than that, I would hazard a guess that newyorknewyork.com *only* acts in a first party context, ever. Again this comes down to business, not tech. If it is true that newyorknewyork.com only is designed as a first party site, then they can be comfortable claiming DNT first party status and go about their business, regardless of what path users took to reach them. No logic or code branching needed. Very clean.

So I see this example and think "good news, for this simple case, DNT as we're talking about it should work out fine." The knowledge that comes into play is not about technical measures, it's about business models. So - what am I missing? Because I am pretty sure that Karl is not joining me in thinking this is good news. :-)

> Note: A user agent could when the user has activated DNT:1 cancels automatic redirection and asks the user for the redirection with a modal dialog. It would be an horrible UX for people. And people would not necessary know what it means in natural language or that if the redirection is on a tracker or not.

Agreed. And speaking just personally, I see no reason why DNT should get in the middle of redirects. We agreed in Santa Clara that redirects should not track users with DNT: 1, and I think we can get there. 

I now see the next message in this thread, but I already owe all of you the agenda for tomorrow's call. Let's see if we can make sense of this basic example here before continuing forward too. Karl, could you please tell me, where do you think I am going wrong? 

	Aleecia
Received on Tuesday, 22 November 2011 22:08:21 UTC