- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 18 Apr 2012 09:51:35 -0700
- To: ifette@google.com
- Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
- Message-Id: <91441379-1648-4DB9-BB18-70F04ECA69AF@gbiv.com>
On Apr 18, 2012, at 8:44 AM, Ian Fette (イアンフェッティ) wrote: > This would add an extra 1xRTT to pageload, and block ALL subresources, no? This alone? No. This is primarily just a way to define the scope of a first party such that our requirements make sense. A user agent that *needs* this info can get it. If they don't need it, they would not get it. E.g., if the user agent *wants* to send different header to the claimed first-party sites (as opposed to just the primary request vs subrequests), then it would need this information to do so; if it just wishes to send a different value on subrequests, then it does not need the info. A user agent that is coloring request elements based on the distinction could check the info either pre or concurrent with rendering. ....Roy > My understanding of your proposal is that I would have to fetch /, wait for the response which indicates where I find its DNT info (or perhaps it's at a well-known location?) and then only after I get this array of "here's how big I am" can I issue subsequent requests, as I need to know if I'm interacting with a 1st or 3rd party to send the correct header in the request? > > On Tue, Apr 10, 2012 at 2:00 PM, Roy T. Fielding <fielding@gbiv.com> wrote: > I am unsatisfied by all of the first-party definitions because I don't consider > them to be implementable (e.g., neither "can infer with high probability that the > user knowingly and intentionally" nor "the party that owns the Web site or has > control over the Web site" can be determined programmatically). > > I suggest that we simply state: > > 1) A first-party resource is a resource that has been designed for direct > interaction with a user. > > 2) When a user interacts with a given first-party resource, all subrequests > made to that first-party's domain or to any of the domains listed in the > same-party array within the first-party's tracking status resource are > also considered first-party resources; all other subrequests are considered > third-party resources. > > 3) The same-party array MUST be limited to domains that are owned or controlled > by the same legal entity that owns or controls the first-party as well as > domains that qualify as third parties acting on behalf of this first party. > > 4) The same-party array SHOULD be limited to domains that share sufficient > context with the first-party, such that the user has a reasonable expectation > that data provided to any of these domains might be shared or combined with > data provided to the other same-party domains. > > 5) Data provided to first-party resources is subject to first-party compliance > requirements; data provided to third-party resources is subject to third-party > compliance requirements. > > ....Roy >
Received on Wednesday, 18 April 2012 16:52:02 UTC