Re: TPE sec 6.11 on clearing granted exceptions from David Singer on 2013-04-26 (public-tracking@w3.org from April 2013)

From: David Singer <singer@apple.com>
Date: Fri, 26 Apr 2013 09:35:34 +0900
To: Nicholas Doty <npdoty@w3.org>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-id: <D18A5852-D2A8-4CF4-A68A-4AC710E9FA00@apple.com>

Thanks, Nick

perhaps this section should merely point out that exceptions form part of the client-stored state, along with cookies and other technologies, and should be considered for inclusion in any state management tools?

On Apr 26, 2013, at 8:40 , Nicholas Doty <npdoty@w3.org> wrote:

> I think in-band user-granted exceptions have at least two advantages over use of cookies in storing exception consent:
> * DNT:0 can be sent even when there is no cookie or cookies are not sent
> * user-agent-managed exceptions can be reviewed and cleared from a centralized store
> 
> I think perhaps the SHOULD text is a little too specific; browsers are taking different approaches to clearing client-side state and while I think there probably always should be an option to clear all client-side state simultaneously, there will also very likely be implementations that clear cookies or other caches separately. I think the general principle of clearing state set and then subsequently accessible by JavaScript is an important one, and worth noting in the spec.
> 
> That would be a third advantage for using in-band exceptions: exceptions may be retained when a user chooses to clear cookies but not other client-side state.
> 
> Thanks,
> Nick
> 
> On Apr 17, 2013, at 7:44 PM, David Singer <singer@apple.com> wrote:
> 
>> This text was part of the resolution to issue-114
>> 
>> <http://lists.w3.org/Archives/Public/public-tracking/2012Feb/0608.html>
>> 
>> and added in.  Sometime later it had minor changes (from 'consider clearing' to 'clear').
>> 
>> I agree with your concern.
>> 
>> On Apr 18, 2013, at 1:23 , Roy T. Fielding <fielding@gbiv.com> wrote:
>> 
>>> I just noticed this sentence in section 6.11 (Fingerprinting):
>>> 
>>> "User agents SHOULD clear stored user-granted exceptions when
>>> the user chooses to clear cookies or other client-side state."
>>> 
>>> IMO, this would make UGEs have no value over cookies for storing
>>> consent.  Is that intentional?
>>> 
>>> ....Roy
>>> 
>>> 
>> 
>> David Singer
>> Multimedia and Software Standards, Apple Inc.

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Friday, 26 April 2013 00:36:03 UTC