- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 9 Apr 2014 01:22:48 -0700
- To: Nicholas Doty <npdoty@w3.org>
- Cc: David Singer <singer@apple.com>, Adrian Bateman <adrianba@microsoft.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
- Message-Id: <6646E9A7-4ADC-4E3C-B9D2-760CB8208CD6@gbiv.com>
On Apr 8, 2014, at 7:43 PM, Nicholas Doty wrote: > On April 8, 2014, at 10:16 AM, David Singer <singer@apple.com> wrote: > >> On Apr 8, 2014, at 19:10 , Adrian Bateman <adrianba@microsoft.com> wrote: >>> >>> My main concern with the proposal is the MUST requirement: >>> >>> "A user agent that allows extensions to directly make or modify HTTP requests MUST >>> provide a corresponding API to those extensions for determining the user's tracking >>> preference." >>> >>> The spec gives some examples of extensions but doesn't really define them. There are many >>> different ways to extend a browser and I'm not convinced it is always possible to >>> provide such an API. >>> >>> In the past, IE and others have provided similar APIs to allow plug-ins to determine >>> private browsing modes so I don't think it's an unrealistic goal in general. However, >>> it will be possible to write an extension where it would be hard to provide such an >>> API and I think we need to recognise this in the spec. >>> >>> Given the previous discussions in this group I'm hesitant to suggest it but I think >>> this requirement should be a SHOULD. >>> >> >> I am with you. >> >> It seems like a good idea to have extensions respect DNT. However, (a) I am not sure we can reasonably provide this API for all types of software that could be considered an extension, plug-in or add-on; and (b) in some cases, where the UA is in control of networking done by the extension, as with Safari Extensions, it would be more appropriate for the UA to automatically add the right DNT header and therefore there is no need to expose the preference. >> >> Based on these points, I think the requirement should be, for now, a SHOULD. >> >> I’m not saying that Roy hasn’t raised a good point; it’s that it needs consideration, looking at the cases, and so on. > > (As noted earlier, some of our discussions on this thread might have strayed from the original topic. This isn't about the software for getting the user's preference, but about the details for browsers to communicate to extensions (unrelated to DNT) that might independently create and execute HTTP requests, so that they can send the same DNT header.) > > To pick up on the suggestion of SHOULD instead of MUST and to clarify the confusion I had about "allow" and "direct", I'd suggest the following. > > How about, in place of: >> A user agent that allows extensions to directly make or modify HTTP requests MUST provide a corresponding API to those extensions for determining the user's tracking preference. > > We instead wrote: >> A user agent SHOULD provide an API or configuration option to extensions that might create HTTP requests external to the user agent. > > This isn't about extensions that are modifying user agent configuration but about communicating user agent configuration to extensions. And those extensions that use browser APIs for executing their HTTP requests don't need the separate API because those requests can already have DNT headers that correspond to the user preference configured in the browser. The previous sentences that Roy included already give the motivation and note that extension interfaces aren't going to be identical. > > I think "MAY" would be fine as well, but "SHOULD" would indicate to an extension developer that if they can't get access to the user's DNT setting to send it on independently-created HTTP requests, they probably ought to talk to the UA about it, rather than creating their own configuration/DNT store. I am going to change it to A user agent that supports extensions SHOULD also provide an appropriate mechanism for such extensions to determine the user's tracking preference. Note that the term "user agent" refers to the program as a whole, including extensions, so there is no way a request can be made external to the user agent. If they were truly independent, then the extension would be the user agent (not the software that invoked the extension). ....Roy
Received on Wednesday, 9 April 2014 08:23:14 UTC