Re: ISSUE-164 (requirements on same-party attribute): Call for text alternatives (possibly until Wednesday September 26) from Rigo Wenning on 2012-09-23 (public-tracking@w3.org from September 2012)

From: Rigo Wenning <rigo@w3.org>
Date: Sun, 23 Sep 2012 21:10:46 +0200
To: public-tracking@w3.org
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Matthias Schunter <mts-std@schunter.org>
Message-ID: <2709528.N6uVTkRjFj@hegel.sophia.w3.org>

For the sake of clarity, I think it good to note what the difference 
is. Because the difference is not in the user agent, but in the 
regulatory effects. 

On Sunday 23 September 2012 11:31:09 Roy T. Fielding wrote:
> > (A) Current draft: Resource is optional
> 
> I think you mean: The same-party member is optional.  User agents
> can still be deployed that test for same-party and complain when
> none is found, possibly resulting in incentive for first party
> sites to supply it, but there is no interoperability requirement.

If this is optional, omissions by first parties have no effect. 
Already for security reasons I would assume that a decent user agent 
implementation does not believe "1" if it does not correspond to a 
"same party" declaration. A first party must be able to control who 
can make allegations about contractual relations. A malicious 
attacker would certainly state "1" in all response headers. 

 I can see Roy's trick to solve the "meaningful interaction" - first 
party issue coming up here by making everything optional. Because it 
may trigger hairy UI problems if one wants to explain that context 
shift to users. 
> 
> > (B) Alternative proposal 1: If multiple domains on a page belong
> > to the same party, then this fact SHOULD be declared using the
> > same-party attribute

This gives a responsibility to the first party and corresponds to 
the "data-controller"-concept: The first party site controls what 
happens at the resource that was the object of the initial GET 
request. If a resource from a different domain states it is "1" but 
isn't, the fact that the first party was obliged to state this and 
did not constitutes an omission and we have to inquire about the 
effects of that omission in the US context. (In the EU stating "samy 
party is all positive and in the interest of the first party as this 
will extend the consent to those mentioned). 

Somebody have further ideas about consequences of that distinction? 
Amy?

I still don't get why Tom wants that SHOULD. I think Tom wants to 
rely on samy party assertions. Can he? Perhaps more if it triggers a 
responsibility of the first party. A SHOULD doesn't make "1" 
declarations less malicious. The final judgment call will always be 
done by the browser and if unsure, by the user. 

Rigo

Received on Sunday, 23 September 2012 19:11:12 UTC