- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Wed, 9 Jan 2013 12:16:08 -0000
- To: "David Singer" <singer@apple.com>
- Cc: <public-tracking@w3.org>
Received on Wednesday, 9 January 2013 12:16:37 UTC
Hi David, On the new API (to answer "does this exception that I previously requested still exist?" surely the receipt of a DNT:0 in the request header (or from the current requestDNTStatus()) already indicates that? If you mean an embedded frame could ask the question about another domain - i.e. requestDNTstatus(DOMString otherdomain), then we could be introducing a new fingerprinting risk. For example script in a frame could set up a web-wide exception for "insurancerisk.com", which could then be checked anywhere with requestDNTStatus("insurancerisk,com"), indicating one bit of data about the current user-agent/user. More bits could be added by executing as many dummy WW exception calls needed. It is a pity though because this would be a way to solve some of Shane's use-cases, i.e. you could set up a site specific exception for webmail.com then query for its existence on webmail.co.uk. This would only work for resources returning HTML though so it would not help with imagecloud.com, so probably not worth the fingerprinting risk. Cheers Mike
Received on Wednesday, 9 January 2013 12:16:37 UTC