- From: イアンフェッティ <ifette@google.com>
- Date: Tue, 23 Oct 2012 14:15:29 -0700
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: "Mike O'Neill" <michael.oneill@baycloud.com>, Nicholas Doty <npdoty@w3.org>, "public-tracking@w3.org Group WG" <public-tracking@w3.org>
- Message-ID: <CAF4kx8cZA6xshjX0zO348GW76CB5=JRLUrAZzHxPmBBcbU0XRQ@mail.gmail.com>
On Tue, Oct 23, 2012 at 12:24 PM, Roy T. Fielding <fielding@gbiv.com> wrote: > On Oct 23, 2012, at 3:15 AM, Mike O'Neill wrote: > > > The point about particular resource URIs changing from 3rd to 1st party > > context is one of the reasons for the change I suggested in issue-182. > The > > user-agent has the party information at hand when it sends out a request, > > and it would be simple for it to communicate this to the server in the > DNT > > header. > > No, it does not. The fact is that neither the browser nor the server > knows what requests are first party and what requests are third party. > Just clicking on a link doesn't make it the first party -- the identifier > would have to be compared to the contextual user information (the > information that gave the user the idea that they wanted to click > on that link). > > In theory, the only way we could mechanically distinguish between > first and third party references would be to change the URIs > (not going to happen) or add additional metadata to the mark-up to > indicate which is which; in practice, we already know that authors > won't correctly mark-up such links, and I suspect TLR would be > somewhat upset if I started redefining HTML here. > > Of course, this has no impact on enforcement of the standard. > The people building Web sites know which links are to third parties, > even if they don't have a special mark-up. > Regulators are fully capable of distinguishing between where they > intend to visit and other entities that might be performing data > collection -- a simple browser extension or protocol stream capture > will reveal all they need to know, and is easily packaged as a tool. > > > For example the handler associated with a social widget will > > normally receive a request indicating 3rd party context usage ( DNT: 1) > and > > the handler will return Tk3. If a user clicks on it a request will be > sent > > out with the f qualifier ( DNT: 1f) and the handler can return a Tk1 > > response if it now conforms to 1st party rules. > > > > In the DNT = 0 case the exception API will have been called. In a 3rd > party > > context the DNT header would now be DNT: 0t=toplevel.com indicating the > > document origin of the top level page, which is also the origin host > which > > initiated the exception. This can be used to prove compliance (by > retaining > > logs in the DNT:0 case) or to debug script errors on the top level site. > > HTTP already has Referer header fields. > > ....Roy > > > Referer is not sent though with https if the site is on a different origin. Stepping back though, we're spending a lot of time defining all of these more complex response codes, has anyone expressed any interest in using them? I believe this is already more complex than we have any interest in using, and wonder if others are in a similar position. -Ian
Received on Tuesday, 23 October 2012 21:15:58 UTC