- From: David Singer <singer@apple.com>
- Date: Fri, 23 Sep 2016 10:00:39 +0100
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Matthias Schunter <mts-std@schunter.org>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
> On Sep 22, 2016, at 20:04 , Roy T. Fielding <fielding@gbiv.com> wrote: > >> On Sep 22, 2016, at 4:09 AM, Matthias Schunter (Intel Corporation) <mts-std@schunter.org> wrote: >> >> (Editorial) Changes to TPE >> - Change fingerprinting section and extend it to a privacy and security >> section > > The entire spec is about privacy and security. We would have to narrow > that quite a bit, such as "privacy bits specific to the TPE protocol" > or some such. I think we need to do the security and privacy review; for example, exceptions are a new state-recording mechanism. DNT headers add to the fingerprinting surface. Contacting a site to find its well-known resource means, well, you’ve contacted it. Could a WKR be malformed to cause security risks? And so on. > >> - Change definition of "enabled" to also include exceptions: Once you >> recorded an exception, you implicitly enabled the feature. > > That would not be editorial because the term is used in normative requirements. > In any case, it isn't necessary: read the last two paragraphs of > > https://www.w3.org/TR/tracking-dnt/#determining OK. But we have a bug; we currently have text that says the header is only sent when DNT is enabled, but later we learn that a site can register an exception even when it’s not, which will cause a DNT header to be sent when applicable, even though the general preference is not enabled. That’s an editorial bug (the statement that it’s only sent when enabled claims to be a statement of fact, not a requirement). David Singer Manager, Software Standards, Apple Inc.
Received on Friday, 23 September 2016 09:01:18 UTC