Re: Behavior of user agents after granting exceptions

On Fri, Apr 13, 2012 at 11:59 AM, Matthias Schunter <mts-std@schunter.org>wrote:

>  Hi Ian/Rigo,
>
>
> I see that we agree. This is good news ;-)
>
> The requirement that the DNT value should reflect preferences of an actual
> user is part of the TPE spec. However, as you indicated, the user agent may
> derive this preference from other actions (such as installing an
> anti-tracking tool or enabling private browsing mode). Similarily, a
> privacy-enabled user agent may do some heuristics like "In general I send
> DNT;1 but for sites that are on my whitelist, I send nothing (or DNT;0)".
> What should not happen is that user agent sends DNT;0 or DNT;1 without
> reflecting some desire/input/preference by the user.
>
> What I wanted to clarify (and we seem to agree) is
>  a) The return value of the exception API does not guarantee future
> behavior (user may change its mind or may use advanced user agent)
>  b) We allow for innovation in the API and heuristics used by user agents
> (as long as they reflect the preference of a user).
>

I'm not sure I agree with b), and feel it might be worth actually having
that discussion to see if we can scope it down. Specifically, I would view
what you describe as "Similarily, a privacy-enabled user agent may do some
heuristics like "In general I send DNT;1 but for sites that are on my
whitelist, I send nothing (or DNT;0)" as being non-compliant.



> Regards,
> matthias
>
>
>
> On 13/04/2012 18:08, Ian Fette (イアンフェッティ) wrote:
>
> I don't want to get too deep into discussions about the browser UI, but I
> think it's fundamentally important to note that the value that gets sent to
> the server needs to be a reflection of the user's express intent. That is,
> if a user has granted an exception, DNT0 should get sent; a browser
> shouldn't just decide "Well, I'm going to send DNT1" unless it is clear to
> the user exactly why their choice is being overridden and why and that this
> override is intended. For instance, I think one could argue that when
> opening a "private browsing mode", which many browsers treat conceptually
> as a separate profile to some extent, it could be reasonable not to carry
> over the granted exceptions into that private browsing session. But such
> cases should be very few and far between, and frankly I think it would be
> worth a discussion of that.
>
>  In short, I'm not sure your #5 is sufficiently nuanced ("user agents
> using other algorithms to determine whether to send DNT0/1")
>
>  -Ian
>
>  On Fri, Apr 13, 2012 at 5:13 AM, Rigo Wenning <rigo@w3.org> wrote:
>
>> We especially allow the user to change her mind and instruct the UA to
>> send
>> DNT=1 after the exception was granted (and we have no notion of time so
>> far). If a service finds that odd, the service can re-request an user
>> granted permission or it can block the UA until such permission is
>> granted.
>>
>> Consequently, I agree with Matthias that we should not constrain the
>> browser
>> here and allow all kinds of reactions.
>>
>> Rigo
>>
>> On Friday 13 April 2012 04:02:11 Matthias Schunter wrote:
>> > 5. We nevertheless permit any other behavior of user agents, e.g.,
>> >     a) User agents ignoring the requests for exceptions (while returning
>> > true or false when the API is called)
>> >     b) User agents returning TRUE for the Javascript call and then later
>> > still sending DNT;1 (somewhere or everywhere)
>> >     c) User agents using other algorithms to determine whether to send
>> > DNT;0 or DNT;1 (and for the return value of the API call).
>>
>>
>

Received on Friday, 13 April 2012 19:09:34 UTC