- From: David Singer <singer@apple.com>
- Date: Tue, 11 Nov 2014 17:02:19 -0800
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: public-tracking@w3.org
On Nov 11, 2014, at 8:39 , Mike O'Neill <michael.oneill@baycloud.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi David, > > I may have missed something but the Confirm UGE API could do with some explanatory text. > > The ConfirmSiteSpecificTrackingException also applies to a grant which had been requested web-wide. I don’t think so. > A web-wide exception by definition applies site-specifically on all sites and the match algorithm in 7.3.2 works for this ( [document-origin, target] matches [*, web-wide-document-origin] if target == web-wide-document-origin) The confirm calls ask whether a specific set of records is in the database, not whether a site would get a DNT:0 header. This is spelled out in quite some detail: If the user agent stores explicit lists, and the call includes one, the database is checked for the existence of all the duplets (one per target): [document-origin, target] If the user agent stores only site-wide exceptions or the call did not include an explicit list, the database is checked for the single duplet: [document-origin, * ] If the user agent stores explicit lists, and the call includes one, and the domain argument is provided and is not empty then the database is checked for the existence of all the duplets (one per target): [*.domain, target] If the user agent stores only site-wide exceptions or the call did not include an explicit list, and the domain argument is provided and is not empty then the database is checked for the single duplet: [*.domain, * ] The returned boolean has the following possible values: • true all the duplets exist in the database; • false one or more of the duplets does not exist in the database. > This is not completely clear in the current text so maybe we should change the function description to: > > Called by a page to confirm a tracking exception. > This function can be used to confirm a site-specific exception or a web-wide exception that has been granted for the document-origin or sub-requests issued from it. > > I assume the .domain property in ConfirmExceptionPropertyBag is (in keeping with the SOP) cookie-like as described in 7.4.1. This is not obvious so it should be stated, though this API only seems useful to check for exceptions on subdomains of the document-origin. The parameters are *exactly* the same as to set an exception (for both confirm calls). > For Issue-262 I looked at the JavaScript necessary to determine which of a list of bidders had granted exceptions, which is possible using the ConfirmSiteSpecificTrackingException but the code is long winded. You have to check for the complete list then repetitively check component sub-lists till you get a set of lists that the API returns true for, and the input list length could be in thousands for the ad-exchange use case. Yes, these calls are not intended for that case, I think. > > If this is predicted to be a common use-case (the tracking protection component of the recently announced Mozilla Polaris project https://wiki.mozilla.org/Polaris could lead to ad-exchanges having to check for UGEs) perhaps we should consider changing the API to return either a Boolean array or an array of indices to the input arrayOfDomainStrings. While we are at it there seems to be little point in the ConfirmWebWideTrackingException API anyway, why not make it redundant and rename the site-specific one to ConfirmTrackingException. (This also helps avoid these ridiculously long function names). They are different, as noted above. They answer the exact question “if I were to call Storexxxxxx, would the act be redundant because it’s already there?” > > Mike > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.13 (MingW32) > Comment: Using gpg4o v3.3.26.5094 - http://www.gpg4o.com/ > Charset: utf-8 > > iQEcBAEBAgAGBQJUYjuoAAoJEHMxUy4uXm2JNuYIAJGz8Utu4i97XFacy3h1aM0d > 7l284oNmoHGwKKkp9vOVK5yfm/gMNpJUoBJeZoSTOqYenu6ggTVxoYVei8kfGXDp > GnFLjniUEFGHoIQVAhz9BKp/NTYhuZaOr6sMKxk1v8rtftJOrSF2zRQUkmoVciVL > 8ySQ9YLBRYSA9SwivIj2qbAgCpPns8uJC/HHpZJXuQLNoxGbveYmEU1I6G+7Fqm8 > jEeBehaQmvDcTMBZywc/5/AmiyJ32tFB6Uz4WHru4hS0zwR/Tk+IlyYTIOz1zz6P > nfeAMB4+bKn1h2LaevvWWFxzE1z602UKTwSTfe+NAaMonueKgdu8ku6TiLCvMVg= > =gaVN > -----END PGP SIGNATURE----- > <PGPexch.htm><PGPexch.htm.sig> David Singer Manager, Software Standards, Apple Inc.
Received on Wednesday, 12 November 2014 01:02:48 UTC