W3C home > Mailing lists > Public > public-tracking@w3.org > October 2011

Re: [ISSUE-81, ACTION-13] Response Header Format

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 28 Oct 2011 13:09:29 -0700
Cc: Matthias Schunter <mts@zurich.ibm.com>, public-tracking@w3.org
Message-Id: <5FEAC9F9-6F6E-4F06-B634-37BABCA469EF@gbiv.com>
To: Karl Dubost <karld@opera.com>
On Oct 28, 2011, at 12:28 PM, Karl Dubost wrote:
> well-known URIs do not work when example.com domain names host more than one web site.
> example.com/business1
> example.com/business2
> example.com/.well-known/dnt

Yes they do work -- the format just needs to include sections for each one.
Note, however, that such multi-business domain sharing is a thing of
the past, and it is extremely unlikely that such businesses would engage
in third-party tracking.

> Exactly the same issue than robots.txt or favicon.ico. favicon.ico 
> has been partly solved by the creation of a link header in the HTML 
> document. But that doesn't work with non HTML document. I have not 
> tested favicon with an HTTP "Link:"
> robots.txt is definitely useless in this context.

It works just fine -- the domain owner collects the information
automatically from the ./business/.robots.txt and simply rewrites
the locations for the main site.  In any case, people who host multiple
businesses on a single domain are vulnerable to many different cross-site
security attacks.   Hence, the kind of sites that this protocol cares about
protecting the user from do not share the same domain with unrelated sites.

> Another issue is that it has a tendency to create useless HTTP 
> requests on the Web for each individual requests.

> I would be happier with a 
> Link: <URI>;rel=[tobedefined]

That was my original proposal in Cambridge.  It would be true if we expected
everyone to be browsing with DNT and verification on.  We don't expect that.
The response is only necessary for the very small percentage of DNT enabled
browsers, which in turn is just a small percentage of overall browsers, that
also want to see verification of tracking.  In other words, the ultra-paranoid
mode or the regulators checking for deployment/compliance.  A user that just
wants to enable DNT will just send the DNT request header.

Hence, sending a link back on every single request is far more expensive than
a few privacy-enabled browsers sending extra requests when they want to ensure
their own preferences are being honored.

Received on Friday, 28 October 2011 20:10:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:26 UTC