ad exchange use case, issue #23

The ad exchange use case is problematic because DNT exceptions and cookies
are origin specific. I propose a solution that has the following pro's:
- The ad exchange has lower legal costs and compliance risks.
- Users are not only protected from access to their personal data but also
from malware threats.
- This can be verified by the UA and externally by regulators, researchers
etc.
- Browsers have, or shortly will have, must of the required functionality.
- Users are more likely to freely give their consent.

This involves a small number of changes to the TPE and is based on the
Content-Security-Policy (CSP) API [1], now supported by all major browsers,
and Embedded Enforcement (EE) [2] which is a new API currently in Chromium
and which will undoubtedly be implemented by all the others.

CSP lets an origin specify what subresources are allowed to load in
different circumstances, whether iframes are "sandboxed" (so cookies are not
sent)  [3], if in-line script is allowed, what and if referrer headers are
sent, and many other security oriented actions.

EE takes this a step further by letting an origin ensure that subsidiary
browsing contexts (i.e. triggered by its embedded iframes) have to agree to
a CSP defined by its "parent" context or else they will be blocked (by the
UA).

The additions to the TPE would be 2 new properties "CSP0" and "CSP1" which
an ad exchange inserts into its TSR. CSP0 is short for
"content-security-policy to be enforced when DNT is 0" and similarly CSP1
means  "content-security-policy to be enforced when DNT is 1"

The UA then simply passes the correct CSP depending on the value of the DNT
header onto embedded iframes. This is equivalent to generating the correct
"csp" attribute to the iframe tag, or otherwise causing the relevant policy
to passed as the value of an "Embedding-CSP" request header (i.e. the header
sent to the subsidiary's server to tell it what CSP it must agree to).

The CSP1 property could have a default say "default-src 'self'; sandbox;
plugin-types;" for cases when only the CSP0 was supplied, so only content
form the winning entities domain will be loaded (no script, cookies,
plug-ins, or other-origin resources). Then the ad exchange could override
the default (subject to user consent) by adding a CSP1 of
"sandbox;plugin-types" so an iframe can load external content but cookies
and script etc. are still disabled.

This will allow an ad exchange to make sure that any content they deliver
will only be able to collect tracking data if the user have given consent to
them , i.e. DNT is 0.


[1] https://www.w3.org/TR/CSP2/
[2] https://w3c.github.io/webappsec-csp/embedded/  
[3] https://www.w3schools.com/tags/att_iframe_sandbox.asp

Received on Monday, 10 April 2017 15:23:20 UTC