Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)]

On Tue, Oct 23, 2012 at 12:24 PM, Roy T. Fielding <> wrote:

> On Oct 23, 2012, at 3:15 AM, Mike O'Neill wrote:
> > The point about particular resource URIs changing from 3rd to 1st party
> > context is one of the reasons for the change I suggested in issue-182.
> The
> > user-agent has the party information at hand when it sends out a request,
> > and it would be simple for it to communicate this to the server in the
> > header.
> No, it does not.  The fact is that neither the browser nor the server
> knows what requests are first party and what requests are third party.
> Just clicking on a link doesn't make it the first party -- the identifier
> would have to be compared to the contextual user information (the
> information that gave the user the idea that they wanted to click
> on that link).
> In theory, the only way we could mechanically distinguish between
> first and third party references would be to change the URIs
> (not going to happen) or add additional metadata to the mark-up to
> indicate which is which; in practice, we already know that authors
> won't correctly mark-up such links, and I suspect TLR would be
> somewhat upset if I started redefining HTML here.
> Of course, this has no impact on enforcement of the standard.
> The people building Web sites know which links are to third parties,
> even if they don't have a special mark-up.
> Regulators are fully capable of distinguishing between where they
> intend to visit and other entities that might be performing data
> collection -- a simple browser extension or protocol stream capture
> will reveal all they need to know, and is easily packaged as a tool.
> > For example the handler associated with a social widget will
> > normally receive a request indicating 3rd party context usage ( DNT: 1)
> and
> > the handler will return Tk3. If a user clicks on it a request will be
> sent
> > out with the f qualifier ( DNT: 1f)  and the handler can return a Tk1
> > response if it now conforms to 1st party rules.
> >
> > In the DNT = 0 case the exception API will have been called. In a 3rd
> party
> > context the DNT header would now be DNT: indicating the
> > document origin of the top level page, which is also the origin host
> which
> > initiated the exception. This can be used to prove compliance (by
> retaining
> > logs in the DNT:0 case) or to debug script errors on the top level site.
> HTTP already has Referer header fields.
> ....Roy
Referer is not sent though with https if the site is on a different origin.

Stepping back though, we're spending a lot of time defining all of these
more complex response codes, has anyone expressed any interest in using
them? I believe this is already more complex than we have any interest in
using, and wonder if others are in a similar position.


Received on Tuesday, 23 October 2012 21:15:58 UTC