- From: David Singer <singer@apple.com>
- Date: Thu, 03 Jan 2013 15:51:26 -0800
- To: public-tracking@w3.org
This thread went dormant without much of a conclusion in November, as I perceive. The issue is around the use of wild-cards in the exception API.
There are two places that host-names occur in the APIs:
* the 'implicit' parameter, the site making the call, and that will become the first of the two host-names in the remembered record [top-level, target]
* the explicit 'target' parameter for site-exceptions.
Wild-carding the second is easily handled; we already allow the request to be for the entire web ("*"), and even if it is not, we allow the user-agent to make it so. So allowing the explicit parameters to include wild-cards (e.g. *.adservice.net) is clearly harmless, as it's more restricted than a plain "*" which it could be converted to.
We're left with the problem of the implicit parameter. What issues come up?
A. Some parties have reasonably large numbers of hostnames/sites. Sometimes they are related in name, sometimes not. Movie studios, for example, often create a new site for each movie they release (e.g. http://www.skyfall-movie.com/site/ or http://yimg.com, as well as http://developer.apple.com). This list of sites is sometimes dynamic (changes over time).
B. We don't want to allow a site to register an exception for a "public suffix", and thereby grant an exception to unrelated parties. For example, if someone asked for a site exception for anything embedded on *.com, then huge numbers of unrelated parties would be getting an exception.
C. We don't want to have to check the public suffix database (http://publicsuffix.org, which is huge and unwieldy) at all if possible, and at most on the API call and not when headers are sent.
D. We don't really want to do a fetch on the "same-party" array at the time of the call, and we cannot possibly fetch it each time we generate an HTTP header.
E. We have to watch where the wild-card asterisk goes; for example, with ICANN generating TLDs like water, we don't want to have yahoo.* registered, or we'll run into the same "unrelated parties" problem as before. It's not clear who would register such a mistake, however ("cui bono?") but a lack of motive doesn't mean we should allow such an obvious mistake.
Here are some possibilities:
1 allow the APIs to indicate a top-level domain which has the form *.<rest>, where *.<rest> must match the domain making the call (the document origin of the script), and <rest> must not be a public suffix. That allows scripts.google.com to supply a script that asks for an exception for *.google.com.
2 allow the APIs to ask for the exception for "myself" (the document origin of the script) "and all my same-parties too" (a fetch at API time of the same-party array).
3 say that the document-origin of the script should be a site with a short hostname, and allow the exception to apply to sites with that as a suffix (e.g. make the call from google.com, and then the exception applies to *.google.com). That avoids the public suffix issue, but not the unrelated site-names issue.
4 combine 3 with 2, and say that if blah.com is declared as a same-party, then the exception applies to *.blah.com.
I cannot see a way to avoid having sites that dynamically create unrelated site-names (e.g. the skyfall site above) from calling the API again to apply to that site. There's no way we can do the check of same-party dynamically, from the user-agent.
David Singer
Multimedia and Software Standards, Apple Inc.
Received on Thursday, 3 January 2013 23:51:56 UTC