- From: Rigo Wenning <rigo@w3.org>
- Date: Fri, 22 Mar 2013 12:03:27 +0100
- To: public-tracking@w3.org
- Cc: David Singer <singer@apple.com>
On Monday 18 March 2013 18:02:01 David Singer wrote: > So, where you say "an assumption we would be undoing is the assumption > that the User Agent (UA) knows who the first party is before it sends > an HTTP request". No, we don't assume that; the user-agent has to > work on machine-testable questions, and it knows the address in the > address bar. We kinda assume that that maps fairly well to the first > party most of the time. There are many many cases where domain names do not match parties. There are two ways to address the issue: 1/ only work on domain names and ignore the rest (Roy and Adrian stating: no known implementation implements the TSR) => it becomes the responsibility of the browser to determine the party. But they can't, they can only look at domains. This then creates developer nightmare resulting in "make browser happy" implementations so that the site works. Confronted with cheating or site not working, people will go for cheating and will find understanding in courts. 2/ look into what the service tells you => responsibility of the service. If the response to a GET request on example.org is Tk:1 you treat them as a first party. As nobody is implementing this.... => the browser remains responsible. There is a feedback loop from the service to the browser for a reason. And this reason is not only to have pre-flight conditions or having one researcher holding up the entire industry for doing some obscure measurements. It is also for the service to be able to give context to the browser. If the browser ignores the context, it acquires the problem. --Rigo
Received on Friday, 22 March 2013 11:03:51 UTC