W3C home > Mailing lists > Public > public-tracking@w3.org > January 2013

Re: action-334, issue-112, a summary on sub-domains for exceptions

From: Roy T. Fielding <fielding@gbiv.com>
Date: Fri, 11 Jan 2013 15:05:55 -0800
Cc: Tracking Protection Working Group <public-tracking@w3.org>
Message-Id: <CABE8092-467C-46C5-8B6D-0284102CEA5F@gbiv.com>
To: David Singer <singer@apple.com>
On Jan 11, 2013, at 10:00 AM, David Singer wrote:
> On Jan 10, 2013, at 17:09 , Shane Wiley <wileys@yahoo-inc.com> wrote:
> 
>> David,
>> 
>> You hit my core concern with "preferably by using a shared list" as it appeared the way Mike had described the interaction that the "shared list" would be bound by same origin requirements and this would require a list per domain variation.  As long as we're okay that the domain flagging "include these related domains" not require a same origin for storage of said list, then we should be okay.  I believe it would be a requirement that the domain pointing at the shared list exist in the list themselves as a sanity check is appropriate.  Agreed?
> 
> I think we are converging.  What I was saying was that it's easiest if the 'same-party' pointer at the various sites actually is the same URL, and includes all those sites.  So then it's clear that
> 
> fooey.com -> http://www.example.com/resources/same-party.txt
> example.com -> http://www.example.com/resources/same-party.txt
> and that file contains
> example.com
> fooey.com
> 
> Then it's clear that fooey.com and example.com are indeed part of the same party.  We need to avoid someone saying "I'm part of Yahoo!" when Yahoo! does not agree, or at least have that case detectable and flaggable.

The current same-party definition is for an array of domains inside
the first party's TSR.  We could change that to a link (pointer),
but that means managing yet another resource on the first party site
and needing yet another request to get that information.  Right now,
the API (as I understand it) doesn't require any additional network
requests to work because the javascript already knows what domains for
which it needs an exception.

Someone else does not say they are part of Yahoo!  Yahoo's site says
the following domains are part of me, and if the UA wants to verify
that they can simply look at Yahoo's site tracking status resource.

In short, I see no value to this new design and plenty of extra cost.

....Roy
Received on Friday, 11 January 2013 23:06:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:39:18 UTC