- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 13 Feb 2012 00:22:00 -0800
- To: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
On Feb 11, 2012, at 5:31 AM, Roy T. Fielding wrote:
> ACTION-115: Write up counter-proposal to header with well-known URI
> Related to ISSUE-124, ISSUE-61, ISSUE-90, ISSUE-111
and ISSUE-80 and ISSUE-47.
After getting some sleep, I have revised the proposal to optimize for the
common case (one policy per domain) and to fully describe the verification
process. A plain text version is below, with HTML in the editor's draft.
5.1 Tracking Status Resource
An origin server must provide a well-known resource [RFC5785] at the
identifier path
/.well-known/dnt
(relative to the URI of that origin server) for obtaining information
about the potential tracking behavior of services provided by that origin
server. A tracking status resource may be used for verification of DNT
support, as described in section 5.1.2 Using the Tracking Status.
A valid retrieval request (e.g., a GET in [HTTP11]) on the well-known URI
must result in either a successful response containing a machine-readable
representation of the site-wide tracking status, as defined below, or a
sequence of redirects that leads to such a representation. A user agent
may consider failure to provide access to such a representation equivalent
to the origin server not implementing this protocol. The representation
might be cached, as described in section 5.1.3 Tracking Status Caching.
If an origin server contains multiple services that are controlled by
distinct parties or that might have differing behavior or policies
regarding tracking, then it may also provide a space of well-known
resources for obtaining information about the potential tracking behavior
of each specific service. This parallel tree of resources is called the
tracking status resource space.
The tracking status resource space is defined by the following URI
Template [RFC_UT_]:
/.well-known/dnt{+pathinfo}
where the value of pathinfo is equal to the path component [RFC3986] of a
given reference to that origin server, excluding those references already
within the above resource space. For example, a reference to
http://example.com/over/here?q=hello#top
may have a corresponding tracking status resource identified by
http://example.com/.well-known/dnt/over/here
Resources within the tracking status resource space are represented using
the same format as a site-wide tracking status resource.
All responses to requests on a tracking status resource, including
redirected requests, must not include Set-Cookie or Set-Cookie2 header
fields [RFC6265] and must not include content that would have the effect
of initiating tracking beyond what is already present for the request. A
user agent should ignore or treat as an error any Set-Cookie or
Set-Cookie2 header field received in such a response.
5.1.1 Tracking Status Representation
The representation of a tracking status resource shall be provided in the
"application/json" format [RFC4627] and must conform to the ABNF in
section 5.1.4 Tracking Status ABNF. The following is an example tracking
status representation that illustrates all of the fields defined by this
specification, most of which are optional.
{
"path": "/",
"tracking": true,
"received": "1",
"response": "t1",
"same-site": [
"example.com",
"example_vids.net",
"example_stats.com"
],
"partners": [
"api.example-third-party.com"
],
"policy": "/tracking.html",
"edit": "http://example-third-party.com/your/data",
"options": "http://example-third-party.com/your/consent"
}
A tracking status representation consists of a single status-object
containing members that describe the tracking status applicable to this
user agent's request.
If the status-object has an optional path member, then this object
describes the tracking status for the entire space of resources that share
the same path prefix as the value of path. The user agent must interpret
the path value relative to the originally referenced resource, not the
resource where it obtained the tracking status representation.
For the site-wide tracking status resource, the presence of a path member
with a value of "/" indicates that this status-object applies for the
entire origin server of the originally referenced resource. If the
originally referenced resource's path component does not share the same
prefix as the value of path, or if the path member is absent, then the
tracking status for the referenced resource may be obtained via a request
on the corresponding tracking status resource space.
A status-object must have a member named tracking with a boolean value. A
value of false indicates that the corresponding resources do not perform
tracking as it is defined by Tracking Compliance and Scope. A value of
true indicates that the corresponding resource performs tracking and
claims to conform to all tracking compliance requirements applicable to
this site.
For example, the following demonstrates a minimal tracking status
representation that is applicable to any resource that does not perform
tracking.
{"tracking": false}
The following status-object would indicate that the entire site does not
perform tracking.
{"path": "/", "tracking": false}
If tracking is true, the status-object must include two additional
members, named received and response, and may include other members as
described below.
The received member must have either a string value equal to the
DNT-field-value received in that request or the value null if no
DNT-field-value was received. Any invalid characters received in the
DNT-field-value must be elided from the string value to ensure that
invalid data is not injected into the JSON result.
The response member must have a string value that indicates the status of
tracking applicable specifically to this user in light of the received
DNT-field-value. The string value begins with "t" (tracking) or "n" (not
tracking) and may be followed by alphanumeric characters that indicate
reasons for that status, as described in the following table.
reasons meaning
1 Designed for use as a first-party only
3 Designed for use as a third-party
a Limited to advertising audits
c Prior consent received from this user agent
f Limited to fraud prevention
g For compliance with regional/geographic
constraints
q Limited to advertising frequency capping
r Limited to referral information
An optional member named same-site may be provided with an array value
containing a list of domain names that the origin server claims are the
same site, to the extent they are referenced on this site, since all data
collected via those references share the same data controller.
An optional member named partners may be provided with an array value
containing a list of domain names for third-party services that might
track the user as a result of using this site and which do not have the
same data controller as this site.
An optional member named policy may be provided with a string value
containing a URI-reference to a human-readable document that describes the
tracking policy for this site. The content of such a policy document is
beyond the scope of this protocol and only supplemental to what is
described by this machine-readable tracking status representation.
An optional member named edit may be provided with a string value
containing a URI-reference to a resource intended to allow a tracked user
agent to review or delete data collected by this site, if any such data
remains associated with this user agent. The design of such a resource and
the extent to which it can provide access to that data is beyond the scope
of this protocol.
An optional member named options may be provided with a string value
containing a URI-reference to a resource intended to allow a user agent to
opt-in, opt-out, or otherwise modify their consent status regarding data
collection by this site. The design of such a resource and how it might
implement an out-of-band consent mechanism is beyond the scope of this
protocol.
Additional extension members may be provided in the status-object to
support future enhancements to this protocol. A user agent should ignore
extension members that it does not recognize.
Note that the tracking status resource space applies equally to both
first-party and third-party services. An example of a third-party tracking
status is
{
"tracking": true,
"received": "1",
"response": "n",
"policy": "/privacy.html",
"edit": "/your/data",
"options": "/your/consent"
}
ISSUE-47: Should the response from the server indicate a policy that
describes the DNT practices of the server?
[PENDING REVIEW] The tracking status resource is a machine-readable policy
and provides a mechanism for supplying a link to a human-readable policy.
ISSUE-61: A site could publish a list of the other domains that are
associated with them
[PENDING REVIEW] The same-site and partners members provide a means to
list first-party and third-party domains, respectively.
ISSUE-124: Alternative DNT implementations that replace HTTP headers with
something else
[PENDING REVIEW] The tracking status resource minimizes bandwidth usage
because only a small proportion of user agents are expected to perform
active verification, status would only be requested once per site per day,
and the response can be extensively cached.
5.1.2 Using the Tracking Status
A key advantage of providing the tracking status at a resource separate
from the site's normal services is that the status can be accessed and
reviewed prior to making use of those services and prior to making
requests on third-party resources referenced by those services. In
addition, the presence (or absence) of a site-wide tracking status
representation is a means for testing deployment of this standard and
verifying that a site's claims regarding tracking are consistent with the
site's observed behavior over time.
A user agent may check the tracking status for a given resource URI by
making a retrieval request for the well-known address /.well-known/dnt
relative to that URI.
If the response is an error, then the service does not implement this
standard. If the response is a redirect, then follow the redirect to
obtain the tracking status (up to some reasonable maximum of redirects to
avoid misconfigured infinite request loops). If the response is
successful, obtain the tracking status representation from the message
payload, if possible, or consider it an error.
Once the tracking status representation is obtained, parse the
representation as JSON to extract the Javascript status-object. If parsing
results in a syntax error, the user agent should consider the site to be
non-conformant with this protocol.
If the status-object does not have a member named path or if the value of
path is not "/" and not a prefix of the path component for the URI being
checked, then find the service-specific tracking status resource by taking
the template /.well-known/dnt{+pathinfo} and replacing {+pathinfo} with
the path component of the URI being checked. Perform a retrieval request
on the service-specific tracking status resource and process the result as
described above to obtain the specific tracking status.
The status-object is supposed to have a member named tracking with a
boolean value. If the value is false, then no tracking is performed for
the URI being checked. If the value is true, then examine the member named
received to verify that the DNT header field sent by the user agent has
been correctly received by the server. If the received value is incorrect,
there may be an intermediary interfering with transmission of the DNT
request header field.
If the received value is correct, then examine the member named response
to see what the origin server has claimed regarding the tracking status
for this user agent in light of the received DNT-field-value.
If the first character of the response value is "n", then the origin
server claims that it will not track the user agent for requests on the
URI being checked, and for any URIs with a path prefix matching the path
member's value, for at least the next 24 hours or until the Cache-Control
information indicates that this response expires, as described below.
If the first character of the response value is "t", then the origin
server claims that it might track the user agent for requests on the URI
being checked, and for any URIs with a path prefix matching the path
member's value, for at least the next 24 hours or until the Cache-Control
information indicates that this response expires.
The remaining characters of the response value might indicate reasons for
the above choices or limitations that the origin server will place on its
tracking.
The others members of the status-object may be used to help the user agent
differentiate between a site's first-party and third-party services, to
provide links to additional human-readable information related to the
tracking policy, and to provide links for control over past data collected
or over some consent mechanism outside the scope of this protocol.
5.1.3 Tracking Status Caching
If the tracking status is applicable to all users, regardless of the
received DNT-field-value or other data received via the request, then the
response should be marked as cacheable and assigned a time-to-live
(expiration or max-use) that is sufficient to enable shared caching but
not greater than the earliest point at which the service's tracking
behavior might increase. For example, if the tracking status response is
set to expire in seven days, then the earliest point in time that the
service's tracking behavior can be increased is seven days after the
policy has been updated to reflect the new behavior, since old copies
might persist in caches until the expiration is triggered. A service's
tracking behavior can be reduced at any time, with or without a
corresponding change to the tracking status resource.
If the tracking status is only applicable to all users that have the same
DNT-field-value, then either the response must include a Cache-Control
header field with one of the directives "no-cache", "no-store",
"must-revalidate", or "max-age=0", or the response must include a Vary
header field that includes "DNT" in its field-value.
If the tracking status is only applicable to the specific user that
requested it, then the response must include a Cache-Control header field
with one of the directives "no-cache", "no-store", "must-revalidate", or
"max-age=0".
Regardless of the cache-control settings, it is expected that user agents
will check the tracking status of a service only once per session (at
most). A public Internet site that intends to change its tracking status
to increase tracking behavior must update the tracking status resource in
accordance with that planned behavior at least twenty-four hours prior to
activating that new behavior on the service.
ISSUE-90: Interaction of DNT with caching and intermediaries
[PENDING REVIEW] The tracking status response explicitly controls caching,
allows the received DNT-field-value to be echoed to the client, and does
so in the body to reduce accidental loss in transit.
5.1.4 Tracking Status ABNF
The representation of a site's machine-readable tracking status must
conform to the following ABNF for status-object, except that the members
within each member-list may be provided in any order.
status-object = begin-object member-list end-object
member-list = [ path ns path-v vs ]
tracking ns tracking-v
[ vs received ns received-v ]
[ vs response ns response-v ]
[ vs same-site ns same-site-v ]
[ vs partners ns partners-v ]
[ vs policy ns policy-v ]
[ vs edit ns edit-v ]
[ vs options ns options-v ]
*( vs extension )
path = %x22 "path" %x22
path-v = string ; URI absolute-path
tracking = %x22 "tracking" %x22
tracking-v = true / false
received = %x22 "received" %x22
received-v = null / string
response = %x22 "response" %x22
response-v = %x22 r-codes %x22
r-codes = ("t" / "n") *reasons
reasons = "1" ; first-party
/ "3" ; third-party
/ "a" ; advertising audits
/ "c" ; prior consent
/ "f" ; fraud prevention
/ "g" ; geographic/regional compliance
/ "q" ; frequency capping
/ "r" ; referrals
/ ALPHA / DIGIT ; TBD
same-site = %x22 "same-site" %x22
same-site-v = array-of-strings
partners = %x22 "partners" %x22
partners-v = array-of-strings
policy = %x22 "policy" %x22
policy-v = string ; URI-reference
edit = %x22 "edit" %x22
edit-v = string ; URI-reference
options = %x22 "options" %x22
options-v = string ; URI-reference
extension = object
array-of-strings = begin-array
[ string *( vs string ) ]
end-array
ns = <name-separator (:), as defined in [RFC4627]>
vs = <value-separator (,), as defined in [RFC4627]>
begin-array = <begin-array ([), as defined in [RFC4627]>
end-array = <end-array (]), as defined in [RFC4627]>
begin-object = <begin-object ({), as defined in [RFC4627]>
end-object = <end-object (}), as defined in [RFC4627]>
object = <object, as defined in [RFC4627]>
string = <string, as defined in [RFC4627]>
true = <true, as defined in [RFC4627]>
false = <false, as defined in [RFC4627]>
null = <null, as defined in [RFC4627]>
Cheers,
Roy T. Fielding <http://roy.gbiv.com/>
Principal Scientist, Adobe Systems <http://adobe.com/enterprise>
Received on Monday, 13 February 2012 08:22:25 UTC