Re: action-231, issue-153 requirements on other software that sets DNT headers

It is inaccurate to say that IE10's implementation is inconsistent witht the  
spec, as the WG has not chosen an option to define explicit and informed  
consent.  The Windows flow presents information about DNT along with several  
other options; as an opt-in flow, you could argue that DNT should be called  
out more prominently, but I have seen a lot worse.

Please recall that the group previously rejected requiring consent to  
require distinct permission separate from other information, and you  
yourself wanted to leave open the possibility that consent could be obtained  
through a *privacy policy*.  So it is certainly an open question whether  
IE10 meets the explicit and informed consent standard that the spec provides  

Sent via mobile, please excuse curtness and typos

-----Original message-----
From: "Roy T. Fielding" <>
To: Justin Brookman <>
Sent: Thu, Aug 23, 2012 07:49:35 GMT+00:00
Subject: Re: action-231, issue-153 requirements on other software that sets   
DNT  headers

On Aug 22, 2012, at 8:09 PM, Justin Brookman wrote:

> It is simply not true that IE10's header has no meaning.

According to their docs, it is not consistent with DNT as defined
in our specs.  It therefore has no meaning known to me.  That is
the nature of open standards.

>   At the end of the day, for implementers of this specification, IE10's  
DNT:1 header meaning is whatever this spec says it is.

No, IE10's DNT is just a bug. A brain fart of epic proportions.
IE has had many bugs over the years, they occasionally get fixed,
and most people have learned to avoid the n.0 releases.

>   The problem comes if the spec says that any party gets to subjectively  
decide what IE10's header means.

I have no desire for the spec to say that.  I have a desire to
tell the user that they have a buggy UA without messing with
the site UI.  If the WG doesn't want me to do that, then the
user gets a little less transparency.

Regardless, MSIE 10.0's DNT signal will be deleted before any
application or downstream server sees it.

> To forestall having the same exact argument with you for the nth time, I  
will reiterate my concession that it may be OK for parties to have different  
rules for responding to different UAs (including refusing to provide  
content).  I'm just not sure a response header to the UA that "I refuse to  
honor this header" without requiring more is sufficiently transparent from  
the user's persepctive.

Any server can deny access, regardless of DNT.  Any server can

Received on Thursday, 23 August 2012 13:01:54 UTC