Text for ISSUE-164

Hi Matthias, 

I think SHOULD and MUST are off the table AFAIK. But I still would like 
to include the non-normative text below. (English native speakers please 
correct or shorten)

 --Rigo

On Tuesday 04 June 2013 15:04:47 Matthias Schunter wrote:
> ISSUE-164: To what extent should the "same-party" attribute of
> tracking  status resource be required
> http://www.w3.org/2011/tracking-protection/track/issues/164
> (A) Current draft: Resource is optional
> (B) Alternative proposal 1: If multiple domains on a page belong to
> the  same party, then this fact /SHOULD/ be declared using the
> same-party attribute
> (C) Alternative proposal 2: State that user agents /MAY/ assume that 
> additional elements that are hosted under a different URL and occur on
> a  page and declare "intended for 1st party use" are malicious unless
> this URL is listed in the "same-party" attribute
>   => Concrete text is needed to issue a call

Suggested Text for option C: 

A user experience on the web can be composed of elements from a variety 
of resources that are assembled into one user experience by the user 
agent. Many of those resources, even under different domain names, may 
belong to the same data controller or to service providers that act as 
data processors for the controller. 

A user agent fetching elements from different resources may want to 
check whether a claim from a resource to be under control by the same 
party is backed by the first party the service claims to cater to. This 
is especially the case if elements from a different origin have to be 
mashed up. The user agent can check whether such claims are backed by 
the first party of the top origin by verifying the <code>same-
party</code> declaration of that origin. In case the service provider's 
claim is not backed by the first party of the initial origin, a user 
agent may decide to block such elements or resources.

Received on Tuesday, 4 June 2013 15:00:18 UTC