W3C home > Mailing lists > Public > public-tracking@w3.org > October 2014

Re: tracking-ISSUE-266: automatic expiration of a tracking preference exception via API parameter [TPE Last Call]

From: David Singer <singer@apple.com>
Date: Wed, 15 Oct 2014 10:08:36 -0700
Message-Id: <7D64D109-AB50-4DA6-B1DF-747B3552371B@apple.com>
To: Tracking Protection Working Group <public-tracking@w3.org>
I think that this is a problem most conspicuously for web-wide exceptions, and they effectively emulate the behavior of cookies but in another way.  (Site-wide exceptions and cookies are not similar.)

The really broken scenario is where the site has a web-wide exception that needs to expire for some reason, and the exceptions API doesnít support expiry. To remember the expiry, the site sets an expiring cookie, and questions or disregards the exception if either it or the cookie is missing. If the siteís web-wide resource is non-scripted it is in no position to do anything about confirmation, re-requesting, checking etc. unless the user visits the site itself again.

Issues:
* why not use just the cookie?
* if the cookie is missing but the exception is present, which of the following occurred?
  a) the user deleted cookies but the expiry time is not yet reached
  b) the cookie expired
  c) the user set their general preference to DNT:0
 I donít think the site can tell.


I therefore think that we should either

1] add an expiry parameter to both exception-setting APIs (for regularity, though only the web-wide one is problematic)
OR
2] delete web-wide exceptions, since they are simply replicating cookies


Which do people prefer?


David Singer
Manager, Software Standards, Apple Inc.
Received on Wednesday, 15 October 2014 17:09:07 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:24 UTC