- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 7 Feb 2012 18:13:11 -0800
- To: David Singer <singer@apple.com>
- Cc: Tracking Protection Working Group WG <public-tracking@w3.org>
On Feb 7, 2012, at 9:50 AM, David Singer wrote: > The absence of a response header does have the huge downside that there is no 'automated discovery' of compliance in the transaction, and UAs that rely on that will assume the worst. If we go with SHOULD, this needs clearly stating. There is no automated discovery of compliance in headers, regardless. Compliance to requirements that apply over time and across multiple requests can only be detected by observing behavior over time and multiple requests. Just because a header says that the server complies does not mean the server complies. UAs that actually depend on compliance should be checking against a curated list, just like fraud avoidance. IMO, the response header is a complete waste of time and bytes. It is a very expensive delusion. In the entire history of HTTP, the only other protocols that defined a response header to indicated compliance were MIME-version (ignored), DAV (ignored), PICS (failed), and P3P (ignored). I don't understand why this WG needs to make the same mistake. ....Roy
Received on Wednesday, 8 February 2012 02:16:47 UTC