- From: David (Standards) Singer <singer@apple.com>
- Date: Thu, 09 Oct 2014 10:17:01 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Sid Stamm <sstamm@mozilla.com>, Tracking Protection Working Group <public-tracking@w3.org>
On Oct 9, 2014, at 10:05 , Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Oct 9, 2014 at 7:00 PM, David (Standards) Singer > <singer@apple.com> wrote: >> Given that, the group tried to minimize difference from existing techniques, notably cookie and script cross-origin, so as to re-use as much as possible (concept and code). I get the sense that you’d prefer a more modern design that represents an improvement on cookies, cors, and the like. I am not sure the group agrees; simple/compatible to implement is actually desirable. (That’s why I hesitate about promise returns, for example, and I am pushing back gently on expiration parameters). > > To be clear, cookies and document.domain and friends depend on > publicsuffix.org. That is bad. We don't want to increase the amount of > things that depend on that unless there's a very compelling reason. > Anything new we've done for the last decade or so has been based on > origins. Do you have the time to sketch out what it would look like using origins? I think the WG would be happy to look. The obvious problem: roughly, you need to be able to set an exception for a group of properties (hosts) from one of them (e.g. from dnt-center.yahoo.com, for all yahoo.com hosts), but obviously not see/set/cancel exceptions for properties that are not ‘yours’. The API operation, and the decision on whether a recorded exception applies in this case (i.e. the decision on what DNT header to send), both need to have a model that achieves this. David Singer Manager, Software Standards, Apple Inc.
Received on Thursday, 9 October 2014 17:17:38 UTC