Re: TPE last-call issues on my plate, summary from Standards on 2014-10-08 (public-tracking@w3.org from October 2014)

From: Standards <singer@apple.com>
Date: Wed, 08 Oct 2014 09:04:48 -0700
To: Tracking Protection Working Group <public-tracking@w3.org>
Message-id: <E459EDF6-D22C-4D83-873E-4E6D8C871733@apple.com>

1. <http://www.w3.org/2011/tracking-protection/track/issues/243> terminology

agreed

top-level origin -> top-level browsing context as defined in <http://www.w3.org/TR/html5/browsers.html#browsing-context>

a target is the Host part of an HTTP URL as defined in <http://tools.ietf.org/html/rfc3986#page-18> from which a resource is requested

document origin of a script -> effective script origin, so it now reads

> If domain is supplied and not empty then it is treated in the same way as the domain parameter to cookies and allows setting for subdomains. 
> 
> If the effective script origin would not be able to set a cookie on the domain following the cookie domain rules [COOKIES] (e.g. domain is not a right-hand match or is a TLD) then the duplet must not be entered into the database and a SYNTAX_ERR exception should be thrown.


2. <http://www.w3.org/2011/tracking-protection/track/issues/255>

> 1. This API needs to be on window.navigator. No further polluting of
> the global object. (This is also how it appears to be implemented.)

agreed

> 2. It needs to return an string enum rather than a string. (With
> values "", "yes", and "no" or some such.)

not agreed.  It should be documented at this level as being whatever would be sent in a DNT header, if anything. 

> 3. It should not return null. No need to vary type.

Not agreed. The meaning is that it is exactly what would be present in an HTTP DNT header.  If any string (including an empty string) is returned, then a DNT header with that value would be sent. The special value NULL indicates that no DNT header would be sent.

> 4. It should be exposed in workers.

Agreed.  Moving it (point 1) achieves this.


3. <http://www.w3.org/2011/tracking-protection/track/issues/256>

> They need to allow for an asynchronous permission
> check. In other words, return a promise.

agreed.  still need help on how to write this (or an example). Robin?

> within platform APIs we call "URI” URL

Not agreed.  DNT is an HTTP extension.  URI is the correct term.

> You have not defined cookie-like domain string.

It is the cookie-domain defined in 5.2.3 of RFC 6265 <http://tools.ietf.org/html/rfc6265#section-5.2.3>

> We generally avoid things like
> "explanationString" or "siteName" as they are open to abuse. Also,
> putting "String" in the member name seems redundant.

agreed, these should be removed from the bag.


David Singer
Manager, Software Standards, Apple Inc.

Received on Wednesday, 8 October 2014 16:05:17 UTC