Re: action-334, issue-112, a summary on sub-domains for exceptions

Shane, it sounds like maintaining such a list without wildcards, from 
your perspective, would be difficult and potentially error-prone? Is 
there a way to reach unaffiliated third parties that might "sneak" in 
via a wildcard? best, Joe

On Wed Nov 28 18:16:40 2012, Shane Wiley wrote:
> Mike,
>
> Our list is longer than you assume – and I believe others will run
> into as well.  Suggest we place both options in the TPE draft and go
> from there on the normal consensus process to have others weigh in.
>
> - Shane
>
> *From:*Mike O'Neill [mailto:michael.oneill@baycloud.com]
> *Sent:* Wednesday, November 28, 2012 3:14 PM
> *To:* Shane Wiley; Nicholas Doty
> *Cc:* public-tracking@w3.org
> *Subject:* RE: action-334, issue-112, a summary on sub-domains for
> exceptions
>
> Hi Shane,
>
> I don’t think the server side work is too onerous. If we represented
> the TrackingResource in webIDL:
>
> interface *TrackingResourceDescriptor* {
>
>     attribute sequence<DOMString>? same-party
> <#widl-TrackingResourceDescriptor-same-pa>;
>
>     attribute sequence<DOMString>? third-party
> <#widl-TrackingResourceDescriptor-third-p>;
>
>     attribute sequence<DOMString>? audit
> <#widl-TrackingResourceDescriptor-audit>;
>
>     attribute DOMString? policy <#widl-TrackingResourceDescriptor-policy>;
>
>     attribute DOMString? control
> <#widl-TrackingResourceDescriptor-control>;
>
> };
>
> Even if we did not have a tracking resource, or we did not want to
> mess with the one we had, it could be done client-side (say on
> yahoo.com) with script like this:
>
> <script type="text/JavaScript">
>
> var tdr = new *TrackingResourceDescriptor();*
>
> *tdr.same-party =
> [“yahoo.co.uk”,”yahoo-inc.com”,”completely.different.domain.com”,...];*
>
> *setUGE( [“tp1.com”,”tp2.net”], tdr);*
>
> </script>
>
> i.e. the UGE gets set for yahoo.com, yahoo.co.uk, yahoo-inc.com etc.
> by setting up the other domain names in a same-party array then
> passing it in using a new optional parameter to the API.
>
> Mike
>
> *From:*Shane Wiley [mailto:wileys@yahoo-inc.com]
> *Sent:* 28 November 2012 22:20
> *To:* Mike O'Neill
> *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>; Nicholas
> Doty
> *Subject:* RE: action-334, issue-112, a summary on sub-domains for
> exceptions
>
> Mike,
>
> I believe going this route still requires an over abundance of work on
> the Server side - all in the attempt to stop bad actors who would not
> likely submit a traceable exception for domains they don’t own
> (already a violation of the draft standard to do this as they are not
> “affiliated”).  So would again ask for making this easier for those
> that want to implement the standard and not create arbitrary walls or
> huddles in the failed attempt to thwart bad actors.
>
> - Shane
>
> *From:*Mike O'Neill [mailto:michael.oneill@baycloud.com]
> *Sent:* Wednesday, November 28, 2012 2:13 PM
> *To:* Shane Wiley
> *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>; Nicholas
> Doty
> *Subject:* RE: action-334, issue-112, a summary on sub-domains for
> exceptions
>
> Hi Shane,
>
> Allowing wildcards in the TLD suffix is not a good idea. There are
> many domains where sites run by completely different entities only
> differ by the TLD. Only subdomains can be guaranteed to be operated by
> entities who are the main domain owner,  or have a contractual
> relationship with them.
>
> A list of domains in the tracking resource, like same-party (or
> another name if we don’t want to overload the meaning),  could handle
> this use case, and could apply to any domain (like yahoo-inc.com). It
> could also work for web-wide exceptions.
>
> If we wanted to handle cases where there was no tracking resource URI,
> or where the same-party list needed to be dynamically calculated, we
> could have a new optional parameter to the API that references an
> object with  attributes mirroring the relevant elements in the
> tracking resource.
>
> Mike
>

--
Joseph Lorenzo Hall
Senior Staff Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org

Received on Friday, 30 November 2012 12:17:37 UTC