- From: David Singer <singer@mac.com>
- Date: Tue, 01 Aug 2017 12:34:21 -0700
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: "Roy T. Fielding" <fielding@gbiv.com>, public-tracking@w3.org
> On Jul 31, 2017, at 11:31 , Mike O'Neill <michael.oneill@baycloud.com> wrote: > > Roy, the previous API only had the domain property (in the dictionary), not > the arrayOfDomainStrings which was just for site-specific. The domain > property defaulted to script-origin domain or it could specify subdomains > off the main domain (only). With the latest change an iframe can set > web-wide on other domains (via the target property) unrelated to its main > domain. Yes, I am concerned that the simplification (to use the same bag for site-specific and web-wide) implies that all the contents of the bag are applicable in both cases. The arrayOfDOMSTrings is, IIRC, only applicable to site-specific. > > You are correct that the old API evolved to allow iframes to register > web-wide for their own domain (or subdomain), but that is why we added the > TSR requirement as a check. > > For web-wide exceptions under this new structure, perhaps the UA must > require a valid TSR, and either check the target domains each have a TSR, or > check they are referenced in the script-origin TSR's same-party property. > > On 9.1, I think the DPAs have a pretty good understanding of the TPE. > Specifying that browsers have the general preference defaulted on in Europe > could be a way to signal to US based sub-resource servers that they are > being accessed in an opt-in jurisdiction. It might be true that US companies > will ignore it, but we cannot know they will or what will happen if they do. > > I think those decisions are best left to the compliance document drafters. > > > > > > -----Original Message----- > From: Roy T. Fielding [mailto:fielding@gbiv.com] > Sent: 31 July 2017 18:07 > To: Mike O'Neill <michael.oneill@baycloud.com> > Cc: public-tracking@w3.org > Subject: Re: do we have cause for a call on monday? > > >> On Jul 31, 2017, at 9:08 AM, Mike O'Neill <michael.oneill@baycloud.com> > wrote: >> >> It looks like the meeting is cancelled, but I would like to raise 3 issues > with Roy's changes2 substantive and 1 editorial.. >> >> The main one is the change in the API which, although I like the new > structure, creates a new danger in that web-wide consent can now be > registered by sub-resource iframes. >> >> If an iframe script-origin sets site to '*' and target to a set of > domains, then each of those domains gets a web-wide exception. I think that > makes it too easy for bad actors. >> >> I think web-wide registering should be limited to the top-level domain. > > I agree, but that was a problem with the previous API as well, right? Or is > there another requirement in another section that has yet to be moved over? > In any case, yes, we should require that in the API. > >> My other beef is with 9.1 which I think is unnecessary. It also > contradicts what European DPAs have been saying. We should leave this up to > compliance specs. > > No, we are writing it specifically because what some DPAs have been saying > is a misunderstanding of the DNT specification and how the technology works. > They are not expected to understand our protocol right now. It is our duty > to explicitly correct those misunderstandings. If we don't, this entire > effort will have failed. > > This isn't about compliance. It is a core aspect of the protocol design and > this spec cannot proceed to REC if implementations are sending DNT by > default, whether or not that is mandated by a government agency. DNT would > lose the last excuse sites have to implement. > >> The editorial point is 7.9 para 2 . This should say the promise is > rejected, not that the call throws an exception > > It actually means the same for webIDL, but we should be consistent. > > ....Roy > > > Dave Singer singer@mac.com
Received on Tuesday, 1 August 2017 19:34:46 UTC