RE: Modifying a DNT Header (ISSUE-153, ACTION-285)


Outside of true malware, I believe there are many settings UAs attempt to protect (Certs & Keys, for example) and we're asking for a similar level of protection here to ensure only those plug-ins/apps that have a valid handshake with the UA are able to modify the setting (and appropriately record what party is making the change).

As this is a voluntary standard, attempts to call something that Server-side implementers are clearly interested in as "rat holing" is not going to help the process move forward.

- Shane

-----Original Message-----
From: Walter van Holst [] 
Sent: Friday, November 09, 2012 12:18 PM
Subject: Re: Modifying a DNT Header (ISSUE-153, ACTION-285)

On 9 nov. 2012, at 19:26, David Wainberg <> wrote:
>> Guys, this is a rat-hole.  We already say what we need to say: that a DNT header present in an HTTP request must reflect the intent of the user.  That is the functional rule we need, and we don't need to dig into the myriad ways to construct systems that end up putting it there.
> But what do we do about software that just doesn't care that the spec says that? Are you saying a UA should unquestioningly do whatever some other piece of software tells it? (just like Ron Burgundy will read whatever's on the teleprompter?)

Not that it should, the nature of the beast is that it cannot do otherwise. It is just the reality of general purpose computing that expecting more from the UA than in my earlier text proposal (which may be in need of further refinement) is not unlike requiring someone to ignore the laws of physics. I concur with David that this is becoming a rat hole.



Received on Friday, 9 November 2012 19:29:13 UTC