Re: tracking-ISSUE-150: DNT conflicts from multiple user agents [Tracking Definitions and Compliance]

Hi Brooks, 

welcome back in the game. We have already discussed a requirement in the 
Specification that intermediaries shouldn't inject stuff. Issue is that the 
server doesn't see that it is an injection as we do not have hashing or some 
such SSL. So by receiving a DNT;1 header, the server has to assume this 
status and by receiving a DNT;0 can assume an exception. In case of 
injections, injecting DNT;1 is creating trouble for the server and injecting 
DNT;0 is creating trouble for the user. This is just a weak point of the 
protocol because of the lacking end-to-end security. We can surely require 
it, but does it buy us anything? I don't know. I would not object if someone 
would come up with a good wording. 


On Friday 01 June 2012 17:56:21 Dobbs, Brooks wrote:
> New voice here...  I might as well jump right into the controversy.
> I am not sure there is full consistency here.  I read the spec as saying
> łKey to that notion of expression is that it must reflect the user's
> preference˛.  This seems pretty foundational to me.  Where there is a
> significant likelihood for the origin server to believe that the
> expression is not a reflection of the userąs preference (either as a 1 or
> a 0), wouldnąt such server  be in error to process it accordingly? 
> Conversely to the IE/AVG cases, if hypothetically an ISP were to inject
> an extension into every DNT header which in the future allowed for an
> exception, wouldnąt the server be in error for always making room for
> this exception where they know it to be coming from that ISP?
> -Brooks

Received on Sunday, 3 June 2012 14:48:59 UTC