W3C home > Mailing lists > Public > public-tracking@w3.org > January 2013

Re: action-334, issue-112, a summary on sub-domains for exceptions

From: David Singer <singer@apple.com>
Date: Fri, 11 Jan 2013 16:18:57 -0800
Cc: Tracking Protection Working Group <public-tracking@w3.org>
Message-id: <1A9BB492-2F23-4F85-9681-285B47489A72@apple.com>
To: "Roy T. Fielding" <fielding@gbiv.com>

On Jan 11, 2013, at 15:05 , "Roy T. Fielding" <fielding@gbiv.com> wrote:

> On Jan 11, 2013, at 10:00 AM, David Singer wrote:
>> On Jan 10, 2013, at 17:09 , Shane Wiley <wileys@yahoo-inc.com> wrote:
>> 
>>> David,
>>> 
>>> You hit my core concern with "preferably by using a shared list" as it appeared the way Mike had described the interaction that the "shared list" would be bound by same origin requirements and this would require a list per domain variation.  As long as we're okay that the domain flagging "include these related domains" not require a same origin for storage of said list, then we should be okay.  I believe it would be a requirement that the domain pointing at the shared list exist in the list themselves as a sanity check is appropriate.  Agreed?
>> 
>> I think we are converging.  What I was saying was that it's easiest if the 'same-party' pointer at the various sites actually is the same URL, and includes all those sites.  So then it's clear that
>> 
>> fooey.com -> http://www.example.com/resources/same-party.txt
>> example.com -> http://www.example.com/resources/same-party.txt
>> and that file contains
>> example.com
>> fooey.com
>> 
>> Then it's clear that fooey.com and example.com are indeed part of the same party.  We need to avoid someone saying "I'm part of Yahoo!" when Yahoo! does not agree, or at least have that case detectable and flaggable.
> 
> The current same-party definition is for an array of domains inside
> the first party's TSR.  We could change that to a link (pointer),
> but that means managing yet another resource on the first party site
> and needing yet another request to get that information.  Right now,
> the API (as I understand it) doesn't require any additional network
> requests to work because the javascript already knows what domains for
> which it needs an exception.
> 
> Someone else does not say they are part of Yahoo!  Yahoo's site says
> the following domains are part of me, and if the UA wants to verify
> that they can simply look at Yahoo's site tracking status resource.
> 
> In short, I see no value to this new design and plenty of extra cost.

OK, it was an attempt at a minor optimization.  

As it is, which is OK, if you want to confirm, you visit site fooey.com, and fetch its same-party resource.  It says "yahoo.com, barree.com, yahoo.com".  You wonder if this is all true, and you visit those other two sites to get their same-party resources, and they contain fooey.com.  It's a little more complex than comparing "are they the same pointer?" or "are they the same strings?" (because they may have the site names in a different order, or yahoo may claim more same-party sites than the subsidiary sites need to mention), but it's do-able.

> 
> ....Roy
> 

David Singer
Multimedia and Software Standards, Apple Inc.
Received on Saturday, 12 January 2013 00:19:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:39:18 UTC