RE: action-334, issue-112, a summary on sub-domains for exceptions from Shane Wiley on 2012-11-30 (public-tracking@w3.org from November 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Fri, 30 Nov 2012 14:15:42 +0000
To: Joseph Lorenzo Hall <joe@cdt.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>, "Mike O'Neill" <michael.oneill@baycloud.com>, Nicholas Doty <npdoty@w3.org>
Message-ID: <DCCF036E573F0142BD90964789F720E30705F740@GQ1-EX10-MB03.y.corp.yahoo.com>

Joe,

As the root domain is consistent, I don't see how a 3rd party could "sneak" in via a wildcard here.

- Shane

-----Original Message-----
From: Joseph Lorenzo Hall [mailto:joe@cdt.org] 
Sent: Friday, November 30, 2012 5:17 AM
To: Shane Wiley
Cc: public-tracking@w3.org; Mike O'Neill; Nicholas Doty
Subject: Re: action-334, issue-112, a summary on sub-domains for exceptions

Shane, it sounds like maintaining such a list without wildcards, from your perspective, would be difficult and potentially error-prone? Is there a way to reach unaffiliated third parties that might "sneak" in via a wildcard? best, Joe

On Wed Nov 28 18:16:40 2012, Shane Wiley wrote:
> Mike,
>
> Our list is longer than you assume – and I believe others will run 
> into as well.  Suggest we place both options in the TPE draft and go 
> from there on the normal consensus process to have others weigh in.
>
> - Shane
>
> *From:*Mike O'Neill [mailto:michael.oneill@baycloud.com]
> *Sent:* Wednesday, November 28, 2012 3:14 PM
> *To:* Shane Wiley; Nicholas Doty
> *Cc:* public-tracking@w3.org
> *Subject:* RE: action-334, issue-112, a summary on sub-domains for 
> exceptions
>
> Hi Shane,
>
> I don’t think the server side work is too onerous. If we represented 
> the TrackingResource in webIDL:
>
> interface *TrackingResourceDescriptor* {
>
>     attribute sequence<DOMString>? same-party 
> <#widl-TrackingResourceDescriptor-same-pa>;
>
>     attribute sequence<DOMString>? third-party 
> <#widl-TrackingResourceDescriptor-third-p>;
>
>     attribute sequence<DOMString>? audit 
> <#widl-TrackingResourceDescriptor-audit>;
>
>     attribute DOMString? policy 
> <#widl-TrackingResourceDescriptor-policy>;
>
>     attribute DOMString? control
> <#widl-TrackingResourceDescriptor-control>;
>
> };
>
> Even if we did not have a tracking resource, or we did not want to 
> mess with the one we had, it could be done client-side (say on
> yahoo.com) with script like this:
>
> <script type="text/JavaScript">
>
> var tdr = new *TrackingResourceDescriptor();*
>
> *tdr.same-party =
> [“yahoo.co.uk”,”yahoo-inc.com”,”completely.different.domain.com”,...];
> *
>
> *setUGE( [“tp1.com”,”tp2.net”], tdr);*
>
> </script>
>
> i.e. the UGE gets set for yahoo.com, yahoo.co.uk, yahoo-inc.com etc.
> by setting up the other domain names in a same-party array then 
> passing it in using a new optional parameter to the API.
>
> Mike
>
> *From:*Shane Wiley [mailto:wileys@yahoo-inc.com]
> *Sent:* 28 November 2012 22:20
> *To:* Mike O'Neill
> *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>; Nicholas 
> Doty
> *Subject:* RE: action-334, issue-112, a summary on sub-domains for 
> exceptions
>
> Mike,
>
> I believe going this route still requires an over abundance of work on 
> the Server side - all in the attempt to stop bad actors who would not 
> likely submit a traceable exception for domains they don’t own 
> (already a violation of the draft standard to do this as they are not 
> “affiliated”).  So would again ask for making this easier for those 
> that want to implement the standard and not create arbitrary walls or 
> huddles in the failed attempt to thwart bad actors.
>
> - Shane
>
> *From:*Mike O'Neill [mailto:michael.oneill@baycloud.com]
> *Sent:* Wednesday, November 28, 2012 2:13 PM
> *To:* Shane Wiley
> *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>; Nicholas 
> Doty
> *Subject:* RE: action-334, issue-112, a summary on sub-domains for 
> exceptions
>
> Hi Shane,
>
> Allowing wildcards in the TLD suffix is not a good idea. There are 
> many domains where sites run by completely different entities only 
> differ by the TLD. Only subdomains can be guaranteed to be operated by 
> entities who are the main domain owner,  or have a contractual 
> relationship with them.
>
> A list of domains in the tracking resource, like same-party (or 
> another name if we don’t want to overload the meaning),  could handle 
> this use case, and could apply to any domain (like yahoo-inc.com). It 
> could also work for web-wide exceptions.
>
> If we wanted to handle cases where there was no tracking resource URI, 
> or where the same-party list needed to be dynamically calculated, we 
> could have a new optional parameter to the API that references an 
> object with  attributes mirroring the relevant elements in the 
> tracking resource.
>
> Mike
>

--
Joseph Lorenzo Hall
Senior Staff Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org

Received on Friday, 30 November 2012 14:28:03 UTC