- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 23 Oct 2012 12:24:01 -0700
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: "'Nicholas Doty'" <npdoty@w3.org>, <public-tracking@w3.org>
On Oct 23, 2012, at 3:15 AM, Mike O'Neill wrote: > The point about particular resource URIs changing from 3rd to 1st party > context is one of the reasons for the change I suggested in issue-182. The > user-agent has the party information at hand when it sends out a request, > and it would be simple for it to communicate this to the server in the DNT > header. No, it does not. The fact is that neither the browser nor the server knows what requests are first party and what requests are third party. Just clicking on a link doesn't make it the first party -- the identifier would have to be compared to the contextual user information (the information that gave the user the idea that they wanted to click on that link). In theory, the only way we could mechanically distinguish between first and third party references would be to change the URIs (not going to happen) or add additional metadata to the mark-up to indicate which is which; in practice, we already know that authors won't correctly mark-up such links, and I suspect TLR would be somewhat upset if I started redefining HTML here. Of course, this has no impact on enforcement of the standard. The people building Web sites know which links are to third parties, even if they don't have a special mark-up. Regulators are fully capable of distinguishing between where they intend to visit and other entities that might be performing data collection -- a simple browser extension or protocol stream capture will reveal all they need to know, and is easily packaged as a tool. > For example the handler associated with a social widget will > normally receive a request indicating 3rd party context usage ( DNT: 1) and > the handler will return Tk3. If a user clicks on it a request will be sent > out with the f qualifier ( DNT: 1f) and the handler can return a Tk1 > response if it now conforms to 1st party rules. > > In the DNT = 0 case the exception API will have been called. In a 3rd party > context the DNT header would now be DNT: 0t=toplevel.com indicating the > document origin of the top level page, which is also the origin host which > initiated the exception. This can be used to prove compliance (by retaining > logs in the DNT:0 case) or to debug script errors on the top level site. HTTP already has Referer header fields. ....Roy
Received on Tuesday, 23 October 2012 19:24:21 UTC