RE: ISSUE-262: guidance regarding server responses and timing

Nick,

I believe we've been trying to identify which is the party in capacity to  respond to the DNT request. The problem is, the bid winner is not in capacity to do so because it is unaware of who had accessed to the data and therefore cannot guarantee that data has not been shared with parties not having been granted web-wide exceptions.

The clean technical solution to handle that would be for the first recipient of the message to check for site wide exceptions for all parties receiving data downstream so it will be able to respond appropriately to the DNT signal (along the line of what Mike proposed I guess).

Normative text:
For Servers in direct communication with the User Agent that then communicate further with other parties within the same transaction but outside direct communication with the User Agent, those Servers MAY send a temporary "?" response and MUST call confirmWebWideException to check existing exception for all downstream parties receiving the data in order to determine if tracking outside exceptions occurs. The server MUST provide a final response to the DNT request during the transaction.

Vincent

-----Message d'origine-----
De : Nicholas Doty [mailto:npdoty@w3.org] 
Envoyé : mardi 4 novembre 2014 04:52
À : Tracking Protection Working Group
Objet : Re: ISSUE-262: guidance regarding server responses and timing

I feel we've let this thread get rather a long ways off of the original topic. ISSUE-262 is an issue raised as a Last Call comment to the TPE specification, regarding the timing of server responses in cases of ad exchanges or other cases where server-to-server communication takes place.

> Accordingly, Rubicon Project requests that the Working Group include some guidance as to how responding servers should deal with such timing issues.
https://www.w3.org/2011/tracking-protection/track/issues/262

I believe we can address this with the existing "?" tracking status value (for use in pre-fetching) and some clarity about Tk header responses being valid only for the request in question. Regarding next steps: we can follow up with the commenter to see if that explanation makes sense to them. We could also consider an editorial note or example in the TPE specification, if we expect this to be a common confusion for implementers.

TPE doesn't require any compliance determinations, but just a response to the question of how to make a response available when different downstream servers are involved. There seems to be some interesting discussion about the different possible models and how that would apply to DNT compliance (as described in the separate Tracking Compliance specification) and our definition of service provider. If someone has a text proposal for changes to the Compliance editor's draft (or even just a concrete description of the problem you see, so that someone else can draft a change proposal) we could continue that discussion with a different issue number.

Thanks,
Nick

Received on Tuesday, 4 November 2014 10:36:13 UTC