RE: Transitive third party exceptions

Is this entirely to meet European requirements, because it sounds like there is still some debate among those well versed in European law as to whether this will help.  From a logical standpoint, I still maintain this makes no sense at all.  Why would we assume the user would trust the 3rd party who they don’t know, more than the 1st party who they do?  If transitive trust is adequate for a 3rd party, it surely should be for the 1st party.  I still believe this has almost all of the negatives of explicit/explicit (cost and complexity), without many of the benefits (aside from the fact that this is at least more technically feasible)

Kevin Smith  |  Engineering Manager  |  Adobe  |  385.221.1288 |  kevsmith@adobe.com

From: Ian Fette (イアンフェッティ) [mailto:ifette@google.com]
Sent: Wednesday, May 09, 2012 9:37 AM
To: public-tracking@w3.org Group WG
Subject: Transitive third party exceptions

This is meant to satisfy ACTION-194 and is a proposal for transitive third party exceptions. I'm not sure if it's necessary if we restrict things to "first-party/*" but if you want to list out "first-party/third-party" explicit/explicit exceptions, I believe it would be necessary for things like advertising networks to function.

"If a third party has been granted an exception on a page, then any resources fetched by that third party, including items such as images included by that third party, content dynamically fetched by that third party, or another third party that is redirected to (such as via an HTTP 302 status code) are considered to be covered by that exception. This applies transitively, meaning that if in a given context "Site A" is a third party and has an exception, if it redirects to "Site B" then "Site B" is covered by that exception, as would "Site C" if "Site B" either included content from or redirected to "Site C".

-Ian