- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Mon, 10 Apr 2017 16:22:24 +0100
- To: <public-tracking@w3.org>
The ad exchange use case is problematic because DNT exceptions and cookies are origin specific. I propose a solution that has the following pro's: - The ad exchange has lower legal costs and compliance risks. - Users are not only protected from access to their personal data but also from malware threats. - This can be verified by the UA and externally by regulators, researchers etc. - Browsers have, or shortly will have, must of the required functionality. - Users are more likely to freely give their consent. This involves a small number of changes to the TPE and is based on the Content-Security-Policy (CSP) API [1], now supported by all major browsers, and Embedded Enforcement (EE) [2] which is a new API currently in Chromium and which will undoubtedly be implemented by all the others. CSP lets an origin specify what subresources are allowed to load in different circumstances, whether iframes are "sandboxed" (so cookies are not sent) [3], if in-line script is allowed, what and if referrer headers are sent, and many other security oriented actions. EE takes this a step further by letting an origin ensure that subsidiary browsing contexts (i.e. triggered by its embedded iframes) have to agree to a CSP defined by its "parent" context or else they will be blocked (by the UA). The additions to the TPE would be 2 new properties "CSP0" and "CSP1" which an ad exchange inserts into its TSR. CSP0 is short for "content-security-policy to be enforced when DNT is 0" and similarly CSP1 means "content-security-policy to be enforced when DNT is 1" The UA then simply passes the correct CSP depending on the value of the DNT header onto embedded iframes. This is equivalent to generating the correct "csp" attribute to the iframe tag, or otherwise causing the relevant policy to passed as the value of an "Embedding-CSP" request header (i.e. the header sent to the subsidiary's server to tell it what CSP it must agree to). The CSP1 property could have a default say "default-src 'self'; sandbox; plugin-types;" for cases when only the CSP0 was supplied, so only content form the winning entities domain will be loaded (no script, cookies, plug-ins, or other-origin resources). Then the ad exchange could override the default (subject to user consent) by adding a CSP1 of "sandbox;plugin-types" so an iframe can load external content but cookies and script etc. are still disabled. This will allow an ad exchange to make sure that any content they deliver will only be able to collect tracking data if the user have given consent to them , i.e. DNT is 0. [1] https://www.w3.org/TR/CSP2/ [2] https://w3c.github.io/webappsec-csp/embedded/ [3] https://www.w3schools.com/tags/att_iframe_sandbox.asp
Received on Monday, 10 April 2017 15:23:20 UTC