RE: JS Exception API [ISSUE-112]

-----Original Message-----
From: Nicholas Doty [mailto:npdoty@w3.org] 
Sent: Tuesday, March 06, 2012 5:53 PM
To: Kevin Smith
Cc: public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: JS Exception API [ISSUE-112]

On Mar 1, 2012, at 3:36 PM, Kevin Smith wrote:
>> ISSUE: Should a request for a tracking exception apply to all subdomains of the first party making the request? Or should a first party explicitly list the subdomains that it's asking for? Similarly, should third party subdomains be allowed (e.g. *.tracker.com)?
> 
>> **Proposal** Exceptions are requested for fully-qualified domain names.
> 
> I understand and somewhat agree with the reasoning behind this.  However, this will greatly increase the number of exception request popups that user's experience.  I am concerned that this will make the experience so poor that it will actual drive users to turn off DNT.  More importantly - I suggest that we do not keep trying to reinvent our own wheels.  Whatever definition we come to for 1st parties (brand based, affiliation based etc) - let's use that here as well.  If we define two or more different ways to define a 1st party, we will confuse users even more.  

>I understand the motivation for not duplicating definitions. But however we define the extent of a party in the compliance doc, user-agent-managed site-specific exceptions will need to maintain lists of domain name pairs to which a DNT:0 header should be sent and there's no guarantee that branding/affiliation/user expectation will have a deterministic mapping to domain names.

Good point Nick.  This was one reason we explored the concept of a doc which stated its parent paired with a parent doc stating its children.  It would provide a machine explorable method of determining the boundaries of a 1st party.  That suggestion was certainly not without problems and neither is this.  In this case, we are providing multiple definitions of a first party (confusing) and would generate more exception requests for users (frustrating).  However, it is certainly simple and I like that.

>I agree with Matthias that good user agent UI can intelligently collapse long lists of exceptions. The user agent could also provide the option (even a default) to persist this permission for all subdomains of the current domain in order to decrease the number of questions the user is explicitly asked. It's even been suggested that the dnt-sites.txt list (or other implementations of that list) could be used to intelligently persist exceptions.

I understand that you can hide the list and ask for an 'Accept All' unless they drill in.  That does not however resolve issues with frequently changing 3rd parties causing frequent exception requests, how that list will ever be of value to any but the most educated user , nor the expense incurred by the site in allowing a state where some of the items have exceptions while others do not.

Thanks,
Nick

Received on Wednesday, 7 March 2012 01:06:37 UTC