Re: Well-known URI vs response headers? [ISSUE-81, ISSUE-47, ISSUE-80]

[Another message originally not sent to the public list. This is the last of these, I believe. My apologies for the confusion.]

On Oct 29, 2011, at 1:31 PM, Nicholas Doty wrote:
On Oct 28, 2011, at 3:24 AM, Ronan Heffernan wrote:

> If the opt-in status is not stored in a cookie, data-store, or other technology that is accessible to the script at the well-known URI (as a flag, a userid to be looked-up, a session-id to be looked up, etc.), then how will it be accessible to the page-elements that will perform the tracking?  If the opt-in statement is contained in a POST, that information will be recorded somewhere for later use (e.g. a cookie or a database record) that the well-known URI script can access, unless the POST that changes the user's opt-in status is being sent directly to the object that is doing the tracking, for one-time use.

When I load a page in my browser, I can also execute JavaScript and other local plugins, like Flash. I don't expect the user agent to execute client-side JavaScript or plugins when loading the well-known URI to check a machine-readable policy; as a result there are lots of technologies that aren't available to the script at the well-known URI. So if a tracking element uses localStorage, Flash LSOs, browser fingerprinting or any other technology other than HTTP cookies to identify a user (and the user's opt-back-in status), then it could track a user across sites and not be able to tell that user about their opt-back-in status at the well-known URI.


Received on Monday, 5 March 2012 22:27:54 UTC