Re: TPE last-call issues on my plate, summary from Sid Stamm on 2014-10-08 (public-tracking@w3.org from October 2014)

From: Sid Stamm <sstamm@mozilla.com>
Date: Wed, 8 Oct 2014 09:16:00 -0700
To: "David Singer (Standards)" <singer@apple.com>
Cc: Tracking Protection Working Group <public-tracking@w3.org>, annevankesteren@gmail.com
Message-Id: <C5765DDF-EA78-4E33-9F47-D0C36AD8D4C3@mozilla.com>

Adding Anne van Kesteren since he is not subscribed to the mailing list and had concerns about some of this.

-Sid

On Oct 8, 2014, at 9:04 AM, David Singer (Standards) <singer@apple.com> wrote:

> 1. <http://www.w3.org/2011/tracking-protection/track/issues/243> terminology
> 
> agreed
> 
> top-level origin -> top-level browsing context as defined in <http://www.w3.org/TR/html5/browsers.html#browsing-context>
> 
> a target is the Host part of an HTTP URL as defined in <http://tools.ietf.org/html/rfc3986#page-18> from which a resource is requested
> 
> document origin of a script -> effective script origin, so it now reads
> 
>> If domain is supplied and not empty then it is treated in the same way as the domain parameter to cookies and allows setting for subdomains. 
>> 
>> If the effective script origin would not be able to set a cookie on the domain following the cookie domain rules [COOKIES] (e.g. domain is not a right-hand match or is a TLD) then the duplet must not be entered into the database and a SYNTAX_ERR exception should be thrown.
> 
> 
> 2. <http://www.w3.org/2011/tracking-protection/track/issues/255>
> 
>> 1. This API needs to be on window.navigator. No further polluting of
>> the global object. (This is also how it appears to be implemented.)
> 
> agreed
> 
>> 2. It needs to return an string enum rather than a string. (With
>> values "", "yes", and "no" or some such.)
> 
> not agreed.  It should be documented at this level as being whatever would be sent in a DNT header, if anything. 
> 
>> 3. It should not return null. No need to vary type.
> 
> Not agreed. The meaning is that it is exactly what would be present in an HTTP DNT header.  If any string (including an empty string) is returned, then a DNT header with that value would be sent. The special value NULL indicates that no DNT header would be sent.
> 
>> 4. It should be exposed in workers.
> 
> Agreed.  Moving it (point 1) achieves this.
> 
> 
> 3. <http://www.w3.org/2011/tracking-protection/track/issues/256>
> 
>> They need to allow for an asynchronous permission
>> check. In other words, return a promise.
> 
> agreed.  still need help on how to write this (or an example). Robin?
> 
>> within platform APIs we call "URI” URL
> 
> Not agreed.  DNT is an HTTP extension.  URI is the correct term.
> 
>> You have not defined cookie-like domain string.
> 
> It is the cookie-domain defined in 5.2.3 of RFC 6265 <http://tools.ietf.org/html/rfc6265#section-5.2.3>
> 
>> We generally avoid things like
>> "explanationString" or "siteName" as they are open to abuse. Also,
>> putting "String" in the member name seems redundant.
> 
> agreed, these should be removed from the bag.
> 
> 
> David Singer
> Manager, Software Standards, Apple Inc.
> 
>

Received on Wednesday, 8 October 2014 16:16:29 UTC