RE: ACTION-314: Draft non-normative examples of how a multi-domain site technically can ask for exceptions

Mike,

That's fair - let me circle with Adrian and David to see if we can connect the dots.

Site-Wide Exception: Requires Top-Level Origin Call but can provide domain list (for other 1st party domains and/or trusted 3rd parties)
Web-Wide Exception:  Requires Origin Call but not top-level (to support iFraming) - aka, one party cannot register an exception for another party.

- Shane

From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
Sent: Monday, November 05, 2012 10:44 AM
To: public-tracking@w3.org
Subject: ACTION-314: Draft non-normative examples of how a multi-domain site technically can ask for exceptions

Shane,

The existing API says that the API is relative to the top-level origin (and the target(s), if any) and this is still the assumption in Adrian's new API. Are you saying this should be changed to refer to any document origin? I read the reference to the document-origin in the grants database as short-hand for the top-level document origin, if this was not meant then a better explanation needs to be given in 6.3.

Mike


From: Shane Wiley [mailto:wileys@yahoo-inc.com]
Sent: 05 November 2012 17:00
To: Mike O'Neill; public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: RE: ACTION-314: Draft non-normative examples of how a multi-domain site technically can ask for exceptions

Mike,

We've vetted this approach with the Working Group in DC and still feel it's the appropriate path.  The goal is to build a standard for good actors, not hijack the focus for bad actors that would not implement DNT in the first place (or develop a "silent exception" process due to its audit trail).

- Shane

From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
Sent: Monday, November 05, 2012 9:55 AM
To: public-tracking@w3.org<mailto:public-tracking@w3.org>
Subject: Re: ACTION-314: Draft non-normative examples of how a multi-domain site technically can ask for exceptions

Shane,

I don't think that will work, because the document origin of the iframes will be different to the top level document origin of the page. i.e. if an iframe embedded in site xyz.com has src=companyxyz.com/resource then JS in the resource (executed in a third-party context) will not be able to set an exception for xyz.com. This is as it should be because otherwise it would be too easy for third-party script to silently create exceptions without the user being aware

Script in the window (with doc origin ) companyxyz.com could set up a target exception for xyz.com and vice versa though.


Mike

Received on Monday, 5 November 2012 18:22:36 UTC