- From: David Singer <singer@apple.com>
- Date: Fri, 20 Jan 2012 19:29:58 -0800
- To: Nicholas Doty <npdoty@w3.org>
- Cc: "Roy T. Fielding" <fielding@gbiv.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
My question was, can a UA mix dnt:0, dnt:1 and requests with no dnt header at all? Dave Singer (iPhone) On Jan 20, 2012, at 18:14, Nicholas Doty <npdoty@w3.org> wrote: > On Jan 13, 2012, at 5:10 PM, Roy T. Fielding wrote: > >> On Jan 13, 2012, at 2:41 PM, David Singer wrote: >> >>> In reading a separate thread, I realized that there is a potential issue here over DNT:0. >>> >>> A little while back we discussed whether the UA should send a DNT header to the first party. A number of us argued that it should, even if the first party is exempt: because the first party may care that its third parties are being asked not to track - it might ask for payment in consequence, for example. >>> >>> This argument relies on the assumption that DNT is a single 'big switch', either on or off, but the discussion around DNT:0 reveals that people think it may be OK for the UA to send DNT:1 to some sites, and DNT:0 to others. >> >> Yes, that discussion is why I defined it as a big switch "on" with >> configurable exceptions to off. >> >> In that case, DNT: 0 is only received when the switch is on for >> others, which is as much information that the user agent can send >> to the first party without compromising its own configuration. >> But that only works as notification to first-parties if UAs do not >> implement a global switch with which the user can explicitly >> turn DNT off for all sites. > > If a user has Do Not Track enabled with a few exceptions (through the site-specific exceptions proposal, say), I would expect that on initiating a new page load of example.com DNT:1 is sent in the request to example.com, even if the browser has some exceptions for trackers on example.com. > -- because the user agent doesn't know which domains resources referred to in the response HTML will be > -- because the user wants example.com to follow the limits on 1st parties (probably something like: don't share the information of this visit with arbitrary third parties) > -- because the user might want to give a general expression of not wanting to be tracked, which the first party could choose to act on > -- because the site might want to know that their third parties may be receiving DNT:1 (though aren't necessarily). > >> Until Wednesday, nobody had suggested that browsers would implement >> an off switch. I'd like to know if WebKit will do that. > > I can't speak for any browser vendors, but setting all requests to DNT:0 certainly seems like a plausible use case. Maybe I'm a European and I affirmatively want tracking by third parties while browsing so that advertising is likely to be more relevant to me. > >>> So what, then, does the first party get? DNT:1 if any third party is getting DNT:1, else DNT:0 if all are getting DNT:0? An average of the DNT values :-) DNT:0.7 ??! >> >> The first party would get DNT 0 if an explicit exception exists. >> That does not tell the first party which, if any, of its >> subrequest partners might receive DNT 1 instead. It only alerts >> them to the potential. > > I think the first party's receiving DNT:1 can signal to them that other parties may be receiving DNT:1. And the first party's JavaScript can use APIs to determine which third parties are receiving that signal, if that level of detail matters to them. > >>> Am I, as a UA, allowed to mix non-DNT requests into the mix? >> >> Not as currently defined. > > I'm not sure I understand David's original question was here. I would think the spec should allow user agents to determine when to send DNT requests and when not to, which could include mixing DNT:1, DNT:0 and unspecified requests during the course of browsing. I would expect most implementations (at least initially) to send DNT:1 for all requests. > > —Nick
Received on Saturday, 21 January 2012 03:31:37 UTC