- From: Nicholas Doty <npdoty@w3.org>
- Date: Mon, 5 Mar 2012 14:27:44 -0800
- To: Ronan Heffernan <ronansan@gmail.com>
- Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
[Another message originally not sent to the public list. This is the last of these, I believe. My apologies for the confusion.] On Oct 29, 2011, at 1:31 PM, Nicholas Doty wrote: On Oct 28, 2011, at 3:24 AM, Ronan Heffernan wrote: > If the opt-in status is not stored in a cookie, data-store, or other technology that is accessible to the script at the well-known URI (as a flag, a userid to be looked-up, a session-id to be looked up, etc.), then how will it be accessible to the page-elements that will perform the tracking? If the opt-in statement is contained in a POST, that information will be recorded somewhere for later use (e.g. a cookie or a database record) that the well-known URI script can access, unless the POST that changes the user's opt-in status is being sent directly to the object that is doing the tracking, for one-time use. When I load a page in my browser, I can also execute JavaScript and other local plugins, like Flash. I don't expect the user agent to execute client-side JavaScript or plugins when loading the well-known URI to check a machine-readable policy; as a result there are lots of technologies that aren't available to the script at the well-known URI. So if a tracking element uses localStorage, Flash LSOs, browser fingerprinting or any other technology other than HTTP cookies to identify a user (and the user's opt-back-in status), then it could track a user across sites and not be able to tell that user about their opt-back-in status at the well-known URI. —Nick
Received on Monday, 5 March 2012 22:27:54 UTC