Re: Batch closing of TPE related issues

On Jun 12, 2013, at 4:07 PM, "Nicholas Doty" <> wrote:

I didn't understand ISSUE-192 to be about the capability for revocation of user-granted exceptions within the browser, but a question as to whether the API for storing user-granted exceptions in the user agent should include capabilities for cookie semantics, including timed expiration or secure-only. I agree with the resolution that it doesn't seem at this time like those capabilities are needed. To Rob's point, I don't think ISSUE-192 addresses the question of user control of revoking user-granted exceptions; we should go ahead and close it.

When the idea of user-granted exceptions as stored in the browser (rather than consent mediated by the browser) was first proposed, I did try to express concern about the confusing situation of simultaneously using stored user-granted exceptions and out-of-band consent. One key advantage of having user-granted exceptions stored by the user agent is that the user can inspect them in a single place and revoke granted permissions at a time of their choosing. If users revoke these exceptions but the consent is also stored through some out-of-band means and so the user continues to be told that they have consented to being tracked in a specific context, it would be surprising to the user and it might become difficult to opt-back-out.

<Bryan> perhaps, Nick. But that "single place" advantage is only applicable if (1) you don't consider that the user will likely be accessing services via many devices and multiple browsers; (2) the UI/UX across UAs is fairly consistent, with UAs here meaning any Webview-enabled hybrid app also - a very unlikely scenario IMO.

Received on Wednesday, 12 June 2013 15:52:09 UTC