W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

Re: ACTION-115: Write up counter-proposal to header with well-known URI

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 13 Feb 2012 00:22:00 -0800
Message-Id: <7434CB0E-F124-4AD4-B491-47CECF91FB88@gbiv.com>
To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
On Feb 11, 2012, at 5:31 AM, Roy T. Fielding wrote:

> ACTION-115: Write up counter-proposal to header with well-known URI
> Related to ISSUE-124, ISSUE-61, ISSUE-90, ISSUE-111

and ISSUE-80 and ISSUE-47.

After getting some sleep, I have revised the proposal to optimize for the
common case (one policy per domain) and to fully describe the verification
process.  A plain text version is below, with HTML in the editor's draft.


  5.1 Tracking Status Resource

   An origin server must provide a well-known resource [RFC5785] at the
   identifier path

      /.well-known/dnt

   (relative to the URI of that origin server) for obtaining information
   about the potential tracking behavior of services provided by that origin
   server. A tracking status resource may be used for verification of DNT
   support, as described in section 5.1.2 Using the Tracking Status.

   A valid retrieval request (e.g., a GET in [HTTP11]) on the well-known URI
   must result in either a successful response containing a machine-readable
   representation of the site-wide tracking status, as defined below, or a
   sequence of redirects that leads to such a representation. A user agent
   may consider failure to provide access to such a representation equivalent
   to the origin server not implementing this protocol. The representation
   might be cached, as described in section 5.1.3 Tracking Status Caching.

   If an origin server contains multiple services that are controlled by
   distinct parties or that might have differing behavior or policies
   regarding tracking, then it may also provide a space of well-known
   resources for obtaining information about the potential tracking behavior
   of each specific service. This parallel tree of resources is called the
   tracking status resource space.

   The tracking status resource space is defined by the following URI
   Template [RFC_UT_]:

      /.well-known/dnt{+pathinfo}

   where the value of pathinfo is equal to the path component [RFC3986] of a
   given reference to that origin server, excluding those references already
   within the above resource space. For example, a reference to

      http://example.com/over/here?q=hello#top

   may have a corresponding tracking status resource identified by

      http://example.com/.well-known/dnt/over/here

   Resources within the tracking status resource space are represented using
   the same format as a site-wide tracking status resource.

   All responses to requests on a tracking status resource, including
   redirected requests, must not include Set-Cookie or Set-Cookie2 header
   fields [RFC6265] and must not include content that would have the effect
   of initiating tracking beyond what is already present for the request. A
   user agent should ignore or treat as an error any Set-Cookie or
   Set-Cookie2 header field received in such a response.

    5.1.1 Tracking Status Representation

   The representation of a tracking status resource shall be provided in the
   "application/json" format [RFC4627] and must conform to the ABNF in
   section 5.1.4 Tracking Status ABNF. The following is an example tracking
   status representation that illustrates all of the fields defined by this
   specification, most of which are optional.

      {
        "path": "/",
        "tracking": true,
        "received": "1",
        "response": "t1",
        "same-site": [
          "example.com",
          "example_vids.net",
          "example_stats.com"
        ],
        "partners": [
          "api.example-third-party.com"
        ],
        "policy": "/tracking.html",
        "edit": "http://example-third-party.com/your/data",
        "options": "http://example-third-party.com/your/consent"
      }

   A tracking status representation consists of a single status-object
   containing members that describe the tracking status applicable to this
   user agent's request.

   If the status-object has an optional path member, then this object
   describes the tracking status for the entire space of resources that share
   the same path prefix as the value of path. The user agent must interpret
   the path value relative to the originally referenced resource, not the
   resource where it obtained the tracking status representation.

   For the site-wide tracking status resource, the presence of a path member
   with a value of "/" indicates that this status-object applies for the
   entire origin server of the originally referenced resource. If the
   originally referenced resource's path component does not share the same
   prefix as the value of path, or if the path member is absent, then the
   tracking status for the referenced resource may be obtained via a request
   on the corresponding tracking status resource space.

   A status-object must have a member named tracking with a boolean value. A
   value of false indicates that the corresponding resources do not perform
   tracking as it is defined by Tracking Compliance and Scope. A value of
   true indicates that the corresponding resource performs tracking and
   claims to conform to all tracking compliance requirements applicable to
   this site.

   For example, the following demonstrates a minimal tracking status
   representation that is applicable to any resource that does not perform
   tracking.

      {"tracking": false}

   The following status-object would indicate that the entire site does not
   perform tracking.

      {"path": "/", "tracking": false}

   If tracking is true, the status-object must include two additional
   members, named received and response, and may include other members as
   described below.

   The received member must have either a string value equal to the
   DNT-field-value received in that request or the value null if no
   DNT-field-value was received. Any invalid characters received in the
   DNT-field-value must be elided from the string value to ensure that
   invalid data is not injected into the JSON result.

   The response member must have a string value that indicates the status of
   tracking applicable specifically to this user in light of the received
   DNT-field-value. The string value begins with "t" (tracking) or "n" (not
   tracking) and may be followed by alphanumeric characters that indicate
   reasons for that status, as described in the following table.

          reasons     meaning                       
             1    Designed for use as a first-party only             
             3    Designed for use as a third-party                  
             a    Limited to advertising audits                      
             c    Prior consent received from this user agent        
             f    Limited to fraud prevention                        
             g    For compliance with regional/geographic            
                  constraints                                        
             q    Limited to advertising frequency capping           
             r    Limited to referral information                    

   An optional member named same-site may be provided with an array value
   containing a list of domain names that the origin server claims are the
   same site, to the extent they are referenced on this site, since all data
   collected via those references share the same data controller.

   An optional member named partners may be provided with an array value
   containing a list of domain names for third-party services that might
   track the user as a result of using this site and which do not have the
   same data controller as this site.

   An optional member named policy may be provided with a string value
   containing a URI-reference to a human-readable document that describes the
   tracking policy for this site. The content of such a policy document is
   beyond the scope of this protocol and only supplemental to what is
   described by this machine-readable tracking status representation.

   An optional member named edit may be provided with a string value
   containing a URI-reference to a resource intended to allow a tracked user
   agent to review or delete data collected by this site, if any such data
   remains associated with this user agent. The design of such a resource and
   the extent to which it can provide access to that data is beyond the scope
   of this protocol.

   An optional member named options may be provided with a string value
   containing a URI-reference to a resource intended to allow a user agent to
   opt-in, opt-out, or otherwise modify their consent status regarding data
   collection by this site. The design of such a resource and how it might
   implement an out-of-band consent mechanism is beyond the scope of this
   protocol.

   Additional extension members may be provided in the status-object to
   support future enhancements to this protocol. A user agent should ignore
   extension members that it does not recognize.

   Note that the tracking status resource space applies equally to both
   first-party and third-party services. An example of a third-party tracking
   status is

      {
        "tracking": true,
        "received": "1",
        "response": "n",
        "policy": "/privacy.html",
        "edit": "/your/data",
        "options": "/your/consent"
      }

   ISSUE-47: Should the response from the server indicate a policy that
   describes the DNT practices of the server?
   [PENDING REVIEW] The tracking status resource is a machine-readable policy
   and provides a mechanism for supplying a link to a human-readable policy.

   ISSUE-61: A site could publish a list of the other domains that are
   associated with them
   [PENDING REVIEW] The same-site and partners members provide a means to
   list first-party and third-party domains, respectively.

   ISSUE-124: Alternative DNT implementations that replace HTTP headers with
   something else
   [PENDING REVIEW] The tracking status resource minimizes bandwidth usage
   because only a small proportion of user agents are expected to perform
   active verification, status would only be requested once per site per day,
   and the response can be extensively cached.

   5.1.2 Using the Tracking Status

   A key advantage of providing the tracking status at a resource separate
   from the site's normal services is that the status can be accessed and
   reviewed prior to making use of those services and prior to making
   requests on third-party resources referenced by those services. In
   addition, the presence (or absence) of a site-wide tracking status
   representation is a means for testing deployment of this standard and
   verifying that a site's claims regarding tracking are consistent with the
   site's observed behavior over time.

   A user agent may check the tracking status for a given resource URI by
   making a retrieval request for the well-known address /.well-known/dnt
   relative to that URI.

   If the response is an error, then the service does not implement this
   standard. If the response is a redirect, then follow the redirect to
   obtain the tracking status (up to some reasonable maximum of redirects to
   avoid misconfigured infinite request loops). If the response is
   successful, obtain the tracking status representation from the message
   payload, if possible, or consider it an error.

   Once the tracking status representation is obtained, parse the
   representation as JSON to extract the Javascript status-object. If parsing
   results in a syntax error, the user agent should consider the site to be
   non-conformant with this protocol.

   If the status-object does not have a member named path or if the value of
   path is not "/" and not a prefix of the path component for the URI being
   checked, then find the service-specific tracking status resource by taking
   the template /.well-known/dnt{+pathinfo} and replacing {+pathinfo} with
   the path component of the URI being checked. Perform a retrieval request
   on the service-specific tracking status resource and process the result as
   described above to obtain the specific tracking status.

   The status-object is supposed to have a member named tracking with a
   boolean value. If the value is false, then no tracking is performed for
   the URI being checked. If the value is true, then examine the member named
   received to verify that the DNT header field sent by the user agent has
   been correctly received by the server. If the received value is incorrect,
   there may be an intermediary interfering with transmission of the DNT
   request header field.

   If the received value is correct, then examine the member named response
   to see what the origin server has claimed regarding the tracking status
   for this user agent in light of the received DNT-field-value.

   If the first character of the response value is "n", then the origin
   server claims that it will not track the user agent for requests on the
   URI being checked, and for any URIs with a path prefix matching the path
   member's value, for at least the next 24 hours or until the Cache-Control
   information indicates that this response expires, as described below.

   If the first character of the response value is "t", then the origin
   server claims that it might track the user agent for requests on the URI
   being checked, and for any URIs with a path prefix matching the path
   member's value, for at least the next 24 hours or until the Cache-Control
   information indicates that this response expires.

   The remaining characters of the response value might indicate reasons for
   the above choices or limitations that the origin server will place on its
   tracking.

   The others members of the status-object may be used to help the user agent
   differentiate between a site's first-party and third-party services, to
   provide links to additional human-readable information related to the
   tracking policy, and to provide links for control over past data collected
   or over some consent mechanism outside the scope of this protocol.

   5.1.3 Tracking Status Caching

   If the tracking status is applicable to all users, regardless of the
   received DNT-field-value or other data received via the request, then the
   response should be marked as cacheable and assigned a time-to-live
   (expiration or max-use) that is sufficient to enable shared caching but
   not greater than the earliest point at which the service's tracking
   behavior might increase. For example, if the tracking status response is
   set to expire in seven days, then the earliest point in time that the
   service's tracking behavior can be increased is seven days after the
   policy has been updated to reflect the new behavior, since old copies
   might persist in caches until the expiration is triggered. A service's
   tracking behavior can be reduced at any time, with or without a
   corresponding change to the tracking status resource.

   If the tracking status is only applicable to all users that have the same
   DNT-field-value, then either the response must include a Cache-Control
   header field with one of the directives "no-cache", "no-store",
   "must-revalidate", or "max-age=0", or the response must include a Vary
   header field that includes "DNT" in its field-value.

   If the tracking status is only applicable to the specific user that
   requested it, then the response must include a Cache-Control header field
   with one of the directives "no-cache", "no-store", "must-revalidate", or
   "max-age=0".

   Regardless of the cache-control settings, it is expected that user agents
   will check the tracking status of a service only once per session (at
   most). A public Internet site that intends to change its tracking status
   to increase tracking behavior must update the tracking status resource in
   accordance with that planned behavior at least twenty-four hours prior to
   activating that new behavior on the service.

   ISSUE-90: Interaction of DNT with caching and intermediaries
   [PENDING REVIEW] The tracking status response explicitly controls caching,
   allows the received DNT-field-value to be echoed to the client, and does
   so in the body to reduce accidental loss in transit.

    5.1.4 Tracking Status ABNF

   The representation of a site's machine-readable tracking status must
   conform to the following ABNF for status-object, except that the members
   within each member-list may be provided in any order.

 status-object = begin-object member-list end-object
 member-list   = [ path ns path-v vs      ]
                 tracking       ns tracking-v
                 [ vs received  ns received-v  ]
                 [ vs response  ns response-v  ]
                 [ vs same-site ns same-site-v ]
                 [ vs partners  ns partners-v  ]
                 [ vs policy    ns policy-v    ]
                 [ vs edit      ns edit-v      ]
                 [ vs options   ns options-v   ]
                 *( vs extension )

 path          = %x22 "path" %x22
 path-v        = string       ; URI absolute-path

 tracking      = %x22 "tracking" %x22
 tracking-v    = true / false


 received      = %x22 "received" %x22
 received-v    = null / string

 response      = %x22 "response" %x22
 response-v    = %x22 r-codes %x22

 r-codes       = ("t" / "n") *reasons
                    

 reasons       = "1"              ; first-party
                 / "3"            ; third-party
                 / "a"            ; advertising audits
                 / "c"            ; prior consent
                 / "f"            ; fraud prevention
                 / "g"            ; geographic/regional compliance
                 / "q"            ; frequency capping
                 / "r"            ; referrals
                 / ALPHA / DIGIT  ; TBD

 same-site     = %x22 "same-site" %x22
 same-site-v   = array-of-strings

 partners      = %x22 "partners" %x22
 partners-v    = array-of-strings

 policy        = %x22 "policy" %x22

 policy-v      = string       ; URI-reference

 edit          = %x22 "edit" %x22
 edit-v        = string       ; URI-reference

 options       = %x22 "options" %x22
 options-v     = string       ; URI-reference

 extension     = object


 array-of-strings = begin-array
                    [ string *( vs string ) ]
                    end-array

 ns            = <name-separator  (:), as defined in [RFC4627]>
 vs            = <value-separator (,), as defined in [RFC4627]>

 begin-array   = <begin-array     ([), as defined in [RFC4627]>
 end-array     = <end-array       (]), as defined in [RFC4627]>
 begin-object  = <begin-object    ({), as defined in [RFC4627]>

 end-object    = <end-object      (}), as defined in [RFC4627]>
 object        = <object, as defined in [RFC4627]>
 string        = <string, as defined in [RFC4627]>

 true          = <true,   as defined in [RFC4627]>
 false         = <false,  as defined in [RFC4627]>
 null          = <null,   as defined in [RFC4627]>

        

Cheers,

Roy T. Fielding                     <http://roy.gbiv.com/>
Principal Scientist, Adobe Systems  <http://adobe.com/enterprise>
Received on Monday, 13 February 2012 08:22:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:45 UTC