- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Fri, 30 Nov 2012 14:15:42 +0000
- To: Joseph Lorenzo Hall <joe@cdt.org>
- CC: "public-tracking@w3.org" <public-tracking@w3.org>, "Mike O'Neill" <michael.oneill@baycloud.com>, Nicholas Doty <npdoty@w3.org>
Joe, As the root domain is consistent, I don't see how a 3rd party could "sneak" in via a wildcard here. - Shane -----Original Message----- From: Joseph Lorenzo Hall [mailto:joe@cdt.org] Sent: Friday, November 30, 2012 5:17 AM To: Shane Wiley Cc: public-tracking@w3.org; Mike O'Neill; Nicholas Doty Subject: Re: action-334, issue-112, a summary on sub-domains for exceptions Shane, it sounds like maintaining such a list without wildcards, from your perspective, would be difficult and potentially error-prone? Is there a way to reach unaffiliated third parties that might "sneak" in via a wildcard? best, Joe On Wed Nov 28 18:16:40 2012, Shane Wiley wrote: > Mike, > > Our list is longer than you assume – and I believe others will run > into as well. Suggest we place both options in the TPE draft and go > from there on the normal consensus process to have others weigh in. > > - Shane > > *From:*Mike O'Neill [mailto:michael.oneill@baycloud.com] > *Sent:* Wednesday, November 28, 2012 3:14 PM > *To:* Shane Wiley; Nicholas Doty > *Cc:* public-tracking@w3.org > *Subject:* RE: action-334, issue-112, a summary on sub-domains for > exceptions > > Hi Shane, > > I don’t think the server side work is too onerous. If we represented > the TrackingResource in webIDL: > > interface *TrackingResourceDescriptor* { > > attribute sequence<DOMString>? same-party > <#widl-TrackingResourceDescriptor-same-pa>; > > attribute sequence<DOMString>? third-party > <#widl-TrackingResourceDescriptor-third-p>; > > attribute sequence<DOMString>? audit > <#widl-TrackingResourceDescriptor-audit>; > > attribute DOMString? policy > <#widl-TrackingResourceDescriptor-policy>; > > attribute DOMString? control > <#widl-TrackingResourceDescriptor-control>; > > }; > > Even if we did not have a tracking resource, or we did not want to > mess with the one we had, it could be done client-side (say on > yahoo.com) with script like this: > > <script type="text/JavaScript"> > > var tdr = new *TrackingResourceDescriptor();* > > *tdr.same-party = > [“yahoo.co.uk”,”yahoo-inc.com”,”completely.different.domain.com”,...]; > * > > *setUGE( [“tp1.com”,”tp2.net”], tdr);* > > </script> > > i.e. the UGE gets set for yahoo.com, yahoo.co.uk, yahoo-inc.com etc. > by setting up the other domain names in a same-party array then > passing it in using a new optional parameter to the API. > > Mike > > *From:*Shane Wiley [mailto:wileys@yahoo-inc.com] > *Sent:* 28 November 2012 22:20 > *To:* Mike O'Neill > *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>; Nicholas > Doty > *Subject:* RE: action-334, issue-112, a summary on sub-domains for > exceptions > > Mike, > > I believe going this route still requires an over abundance of work on > the Server side - all in the attempt to stop bad actors who would not > likely submit a traceable exception for domains they don’t own > (already a violation of the draft standard to do this as they are not > “affiliated”). So would again ask for making this easier for those > that want to implement the standard and not create arbitrary walls or > huddles in the failed attempt to thwart bad actors. > > - Shane > > *From:*Mike O'Neill [mailto:michael.oneill@baycloud.com] > *Sent:* Wednesday, November 28, 2012 2:13 PM > *To:* Shane Wiley > *Cc:* public-tracking@w3.org <mailto:public-tracking@w3.org>; Nicholas > Doty > *Subject:* RE: action-334, issue-112, a summary on sub-domains for > exceptions > > Hi Shane, > > Allowing wildcards in the TLD suffix is not a good idea. There are > many domains where sites run by completely different entities only > differ by the TLD. Only subdomains can be guaranteed to be operated by > entities who are the main domain owner, or have a contractual > relationship with them. > > A list of domains in the tracking resource, like same-party (or > another name if we don’t want to overload the meaning), could handle > this use case, and could apply to any domain (like yahoo-inc.com). It > could also work for web-wide exceptions. > > If we wanted to handle cases where there was no tracking resource URI, > or where the same-party list needed to be dynamically calculated, we > could have a new optional parameter to the API that references an > object with attributes mirroring the relevant elements in the > tracking resource. > > Mike > -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 joe@cdt.org
Received on Friday, 30 November 2012 14:28:03 UTC