Re: when the Tk header is required

On Monday 27 August 2012 17:58:20 Nicholas Doty wrote:
> > WKL "1" or "3" doesn't mean this request is in a first or
> > third-party context -- it simply claims the minimum set of
> > requirements in Compliance adhered to for all resources on
> > the site.  If one of those resources would not adhere to that
> > claim, then the response must either be the "worst-case" of
> > "3" (meaning all of my resources comply with the requirements
> > on third party tracking even though they might be used in a
> > first-party context) or "X" (meaning I determine compliance
> > dynamically based on the request and you'll have to check the
> > headers).
> To be clear, it sounds like you mean by "worst case", "the context
> with the greatest restriction on tracking defined in the
> Compliance spec for which all resources on this site are designed
> to comply, or X to indicate that compliance varies by context".
> (I thought "1" would be possible because I was interpreting
> "worst case" as "the least restrictive level of tracking defined
> in the Compliance spec for a resource on this site".)

This sounds like "I may or may not be tracking you, in fact I don't 
know". This isn't really a semantically sound answer to the user 
saying "do not track me". 

And "the union of things declared" is so complex in Privacy that it 
becomes unmanageable. BTW, "the union of things" already existed in 
P3P 1.0:
http://www.w3.org/TR/P3P/#non-ambiguity

If a user agent discovers more than one non-expired P3P policy for a 
given URI (for example because a page has both a P3P header and a 
link tag that reference different policy reference files, or because 
P3P headers for two pages on the site reference different policy 
reference files that declare different policies for the same URI), 
the user agent MAY assume any (or all) of these policies apply as 
the site MUST honor all of them.

DNT can do much better if we declare an overriding header IMHO.

Rigo

Received on Tuesday, 28 August 2012 18:32:57 UTC