Re: some editing notes regarding user-granted exceptions from David Singer on 2013-01-23 (public-tracking@w3.org from January 2013)

From: David Singer <singer@apple.com>
Date: Wed, 23 Jan 2013 09:50:29 +0100
To: Nicholas Doty <npdoty@w3.org>
Cc: "public-tracking@w3.org Working Group" <public-tracking@w3.org>
Message-id: <2B773CFA-02DF-47AB-8117-2FA1D4ECC60A@apple.com>

On Jan 23, 2013, at 7:31 , Nicholas Doty <npdoty@w3.org> wrote:

> A few notes from reading over the user-granted exceptions section:
> 
> I think we're misusing "site-wide" a few times to refer to what might better be called "all targets". The term "site-wide" implies the width of the first-party, not the specificity of trackers for whom an exception is granted.

OK, there is some terminological work here.  Sometimes people use site-wide to mean all targets and site-specific to mean specific targets.  We should tidy up to use consistent terminology, and maybe define it, I agree.

> Regarding the enumeration of response values, is there some reason a site needs to know that it received an "all targets" expansion even when it did not ask for one? It seems to me the site cares whether it received as least as much permission as it asked for, and nothing else. That would suggest this response value can be boolean, which is a little simpler for all involved.

It may well be that it's not relevant.  I forget why it was added; probably me trying to give maximum transparency.

> "the user-agent may still ask for the user's approval" -- are we sure that's right under this version of exceptions? Can a UA ask for the user's approval without blocking the JS thread or granting (and subsequently using) the exception before the user has had a chance to confirm?

Yes.  It may hold the request in its hand, return, and not enter it into the database until confirmation was what was said on the call a few weeks ago.  This is slightly ugly but expected to be quite unusual.  Slightly more usual would be to enter it and warn the user, and maybe they will delete it a few moments later if they disagree.  We hope that most usual will be the case that sites have got proper consent and there is no dispute at this stage.

> 
> We refer to "origin" in some cases and "domain" in others. I believe "origin" generally refers to a tuple of host, port and scheme. For the sake of consistency with other specs, we could stick with origins, strictly defined; I've been looking at the definition in HTML5 [0]. If what we actually mean is host (because the distinction between http and https is not significant for our use cases, say), we should make that change. (On the other hand, HTML5 has a document.domain property, which seems to be equivalent to their concept of host.)

Cleaning up to be consistent with terminology is always good.

> 
> Thanks,
> Nick
> 
> http://www.w3.org/html/wg/drafts/html/master/browsers.html#origin

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 23 January 2013 08:51:01 UTC