W3C home > Mailing lists > Public > public-tracking@w3.org > March 2013

RE: Approach to ISSUE-167: Multiple site exception

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 20 Mar 2013 14:10:54 -0000
To: <public-tracking@w3.org>, <wileys@yahoo-inc.com>
Message-ID: <0a9501ce2574$bd124bd0$3736e370$@baycloud.com>
Hi Shane,

 

Sorry I just found your post.

 

Yes, and the problem remains how the co-1st party signals consent when it is
addressed as an actual 1st party. The DNT: 1-> Tk:1 handshake could work but
not in the EU (in my opinion) and it would be better to use the API to
signal consent using cross-domain signalling and a shared frame to identify
the user, i.e. recognise that you had already obtained consent. The UI would
explain to the user that the parties were joint data controllers when
getting their agreement in the first place.

 

Mike

 

Mike,

 

Perhaps there are no issues at all then and the current spec covers us.  I
believe you're saying that if the 1st party that is requesting the co-1st
party exception is the origin domain (and always will be in this situation),
then the arrayOfDomainStrings works for this co-1st party pairing (basically
the co-1st party simply looks like another domain of the same party).  If
the co-1st party were to interact with the UA outside of this context, it
would revert back to not having an exception as its origin did not directly
register an exception.  Correct?  Worst case the co-1st party can reply to a
DNT:1 with tk:1;URI without an exception so everything is still very clear
to the UA/User.

 

- Shane

 

-----Original Message-----

From: Mike O'Neill [mailto:
<mailto:michael.oneill@baycloud.com?Subject=RE%3A%20Approach%20to%20ISSUE-16
7%3A%20Multiple%20site%20exception&In-Reply-To=%253CDCCF036E573F0142BD909647
89F720E31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E&References=%253CDCCF0
36E573F0142BD90964789F720E31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E>
michael.oneill@baycloud.com] 

Sent: Monday, March 18, 2013 11:55 AM

To: 'Matthias Schunter (Intel Corporation)'; Shane Wiley

Cc:
<mailto:public-tracking@w3.org?Subject=RE%3A%20Approach%20to%20ISSUE-167%3A%
20Multiple%20site%20exception&In-Reply-To=%253CDCCF036E573F0142BD90964789F72
0E31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E&References=%253CDCCF036E57
3F0142BD90964789F720E31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E>
public-tracking@w3.org

Subject: RE: Approach to ISSUE-167: Multiple site exception

 

Shane,

 

As I understand the use-case, getting consent for multi first-parties can be
handled by the existing API. Script in the top-level domain just calls the
API with the additional parties in arrayOfDomainStrings. I thought the
problem with multi first-parties was the DNT:1 case,  and (otherwise)
third-party servers wanted to claim first party status and so respond with

Tk: 1.

 

This is different from the situation where you want to simultaneously
register tracking consent to other (actual) first-parties, each perhaps with
their own retinue of third-parties, which hits the same-origin restriction.

 

Or have I not understood your use-case?  Can you give an example?

 

Mike

 

-----Original Message-----

From: Matthias Schunter (Intel Corporation) [mailto:
<mailto:mts-std@schunter.org?Subject=RE%3A%20Approach%20to%20ISSUE-167%3A%20
Multiple%20site%20exception&In-Reply-To=%253CDCCF036E573F0142BD90964789F720E
31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E&References=%253CDCCF036E573F
0142BD90964789F720E31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E>
mts-std@schunter.org]

Sent: 18 March 2013 15:37

To: Shane Wiley; Mike O'Neill

Cc:
<mailto:public-tracking@w3.org?Subject=RE%3A%20Approach%20to%20ISSUE-167%3A%
20Multiple%20site%20exception&In-Reply-To=%253CDCCF036E573F0142BD90964789F72
0E31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E&References=%253CDCCF036E57
3F0142BD90964789F720E31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E>
public-tracking@w3.org (
<mailto:public-tracking@w3.org?Subject=RE%3A%20Approach%20to%20ISSUE-167%3A%
20Multiple%20site%20exception&In-Reply-To=%253CDCCF036E573F0142BD90964789F72
0E31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E&References=%253CDCCF036E57
3F0142BD90964789F720E31366F24F%40GQ1-EX10-MB03.y.corp.yahoo.com%253E>
public-tracking@w3.org)

Subject: Approach to ISSUE-167: Multiple site exception

 

ISSUE-167: Multiple site exceptions

 <http://www.w3.org/2011/tracking-protection/track/issues/167>
http://www.w3.org/2011/tracking-protection/track/issues/167

 

 

Hi Team (and in particular Shane and Mike),

 

 

I have re-read the minutes and it seems to be that the right approach
forward to ISSUE-167 (albeit not perfect) is to leave the API as it is for
final call and then understand the implementation experiences.

 

We can then design a backward compatible way to add MultiSiteExceptions
later.

One challenge to overcome is that we need to ensure that the envisioned
method is secure, i.e., that one can only ask for exceptions for sites that
one owns/controls.

 

Formally, I suggest to document this and mark ISSUE-167 as POSTPONED. 

Are you OK with this way forward?

 

 

Regards,

matthias

 
Received on Wednesday, 20 March 2013 14:11:31 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:07 UTC