- From: イアンフェッティ <ifette@google.com>
- Date: Tue, 23 Oct 2012 17:54:26 -0700
- To: Fred Andrews <fredandw@live.com>
- Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
- Message-ID: <CAF4kx8fKEeDJ=pems4c9zyOcwLvt8YJ=hTQWFbkC43Cdjyt5hw@mail.gmail.com>
I did not see that proposal from Mike nor do I agree to that proposal, so I don't see how that "makes this irrelevant now" -Ian On Tue, Oct 23, 2012 at 5:45 PM, Fred Andrews <fredandw@live.com> wrote: > I don't care if the site thinks it 1st or 3rd party. > > I do expect the site to correctly inform the browser if it conforms > to the 1st or 3rd party requirements and I do expected some browsers > to want to block resources that do not meet their expectation. > > Keep in mind that Mike has already proposed that the UA can request > a resource to conform to the 1st or 3rd party requirements irrespective > of what the site thinks of its resources so this is irrelevant now. > > cheers > Fred > > > ------------------------------ > From: ifette@google.com > Date: Tue, 23 Oct 2012 16:58:57 -0700 > > Subject: Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value > for EU [Tracking Preference Expression (DNT)] > To: fredandw@live.com > CC: public-tracking@w3.org > > > It's not clear why this matters. You say you support DNT. That's all that > should matter, unless you expect the browser to do something differently > depending on whether the site thinks it's a first or third party. I don't > expect the browser to do anything differently. What do you mean by "defend > the users tracking preference?" > > -Ian > > On Tue, Oct 23, 2012 at 4:34 PM, Fred Andrews <fredandw@live.com> wrote: > > > 'Yes, I support DNT' is not a clear answer as currently defined. > > Does this mean 'Yes, I support DNT and conform to the 1st party > requirements' > or does it mean 'Yes, I support DNT and conform to the 3rd party > requirements'? > > User agents do have a real need for a specific answer so they can defend > the > users tracking preference. Mike has also mentioned concern about EU > requirements. > > cheers > Fred > > ------------------------------ > From: ifette@google.com > Date: Tue, 23 Oct 2012 16:02:37 -0700 > To: michael.oneill@baycloud.com > CC: fielding@gbiv.com; npdoty@w3.org; public-tracking@w3.org > > Subject: Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value > for EU [Tracking Preference Expression (DNT)] > > I still don't understand the need for this. The server should simply state > "Yes, I support DNT" or "No, I don't support DNT" (or alternately "Yes, I'm > honoring your request" or "No, I'm not honoring your request.") > > By creating this desire for the server to differentiate between parties, > we've created this rathole that has turned into multiple over-long threads. > There is no fundamental need for this. If someone feels that their request > has been improperly handled, they are free to dig into all of this offline. > As a browser, I have no intention of doing anything with this data, thus I > don't see why there is any need. We are just over-complicating the protocol. > > Personally, this has gotten to a level of unnecessary complexity where I > believe it would hurt adoption and as a result would vote against its > inclusion in the protocol. I think we should go back to a simple "Yes I'm > honoring your request" or "No I'm not honoring your request" 1/0 approach. > Any additional information can be spelled out in the tracking resource > document if someone chooses but need not be included in every response. > > -Ian > > On Tue, Oct 23, 2012 at 3:50 PM, Mike O'Neill <michael.oneill@baycloud.com > > wrote: > > Ian,**** > ** ** > I would agree with you if we don’t have to differentiate between parties, > but as it is we need to have a way for resources (handlers, what have you) > to indicate what they claim to be.**** > ** ** > If there was no difference all we would need would be a status resource > reporting compliance with the spec.**** > ** ** > Thanks for pointing out the https/http problem with the Referer header, I > forgot to mention that in my reply to Roy.**** > ** ** > Mike**** > ** ** > ** ** > *From:* Ian Fette (イアンフェッティ) [mailto:ifette@google.com] > *Sent:* 23 October 2012 22:15 > *To:* Roy T. Fielding > *Cc:* Mike O'Neill; Nicholas Doty; public-tracking@w3.org Group WG > > *Subject:* Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status > value for EU [Tracking Preference Expression (DNT)]**** > > ** ** > On Tue, Oct 23, 2012 at 12:24 PM, Roy T. Fielding <fielding@gbiv.com> > wrote:**** > > On Oct 23, 2012, at 3:15 AM, Mike O'Neill wrote: > > > The point about particular resource URIs changing from 3rd to 1st party > > context is one of the reasons for the change I suggested in issue-182. > The > > user-agent has the party information at hand when it sends out a request, > > and it would be simple for it to communicate this to the server in the > DNT > > header.**** > No, it does not. The fact is that neither the browser nor the server > knows what requests are first party and what requests are third party. > Just clicking on a link doesn't make it the first party -- the identifier > would have to be compared to the contextual user information (the > information that gave the user the idea that they wanted to click > on that link). > > In theory, the only way we could mechanically distinguish between > first and third party references would be to change the URIs > (not going to happen) or add additional metadata to the mark-up to > indicate which is which; in practice, we already know that authors > won't correctly mark-up such links, and I suspect TLR would be > somewhat upset if I started redefining HTML here. > > Of course, this has no impact on enforcement of the standard. > The people building Web sites know which links are to third parties, > even if they don't have a special mark-up. > Regulators are fully capable of distinguishing between where they > intend to visit and other entities that might be performing data > collection -- a simple browser extension or protocol stream capture > will reveal all they need to know, and is easily packaged as a tool.**** > > > > For example the handler associated with a social widget will > > normally receive a request indicating 3rd party context usage ( DNT: 1) > and > > the handler will return Tk3. If a user clicks on it a request will be > sent > > out with the f qualifier ( DNT: 1f) and the handler can return a Tk1 > > response if it now conforms to 1st party rules. > > > > In the DNT = 0 case the exception API will have been called. In a 3rd > party > > context the DNT header would now be DNT: 0t=toplevel.com indicating the > > document origin of the top level page, which is also the origin host > which > > initiated the exception. This can be used to prove compliance (by > retaining > > logs in the DNT:0 case) or to debug script errors on the top level site. > **** > > HTTP already has Referer header fields. > > ....Roy > > **** > > ** ** > Referer is not sent though with https if the site is on a different origin. > **** > ** ** > Stepping back though, we're spending a lot of time defining all of these > more complex response codes, has anyone expressed any interest in using > them? I believe this is already more complex than we have any interest in > using, and wonder if others are in a similar position.**** > ** ** > -Ian**** > ** ** > > > >
Received on Wednesday, 24 October 2012 00:54:55 UTC