RE: TPE - Questions around UGE API Consolidation from Mike O'Neill on 2017-08-21 (public-tracking@w3.org from August 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Mon, 21 Aug 2017 10:31:51 +0100
To: "'Shane M Wiley'" <wileys@oath.com>, <public-tracking@w3.org>
Message-ID: <35ea01d31a60$5289edf0$f79dc9d0$@baycloud.com>

Shane, there never was a capability to register multiple first party domains. All we had was the ability to apply it to subdomains via the “domain” dictionary property . You can still do that with the “site” property.

 

I did suggest that we could use the same-party array for this purpose, but this was rejected. The idea would be to have an option whereby the UGE was also applied to the domains in the same-party list. This does significantly contravene the same origin policy, but the risk could be mitigated by having all the first-party sites self-reference each other in the same-party array (and the UA could check that).

 

Mike

 

From: Shane M Wiley [mailto:wileys@oath.com] 
Sent: 21 August 2017 02:10
To: public-tracking@w3.org
Subject: TPE - Questions around UGE API Consolidation

 

Multi-Domain First Party:  Many websites operate under more than one core domain to manage their resources in a distributed manner or across individual product domains under the corporate domain.  Our team has not reviewed the UGE API since the consolidation and noticed on this pass that the ability to send multiple first party domains as part of a site wide exception has been lost in the new approach.  It appears only a single "site" can be provided per call now requiring multiple API calls for the same entity.  For example, www.yahoo.com <http://www.yahoo.com>  and www.yimg.net <http://www.yimg.net>  would each require a separate call.  It doesn't appear there was a desire to force to a same origin policy here such that only the host domain can request a site-wide exception for its domain so would it be possible to include the "site" array property again?

 

3rd Parties Registering Exceptions on 1st Party Sites:  It appears it may be possible for a 3rd party to attempt to register a user granted exception while operating on a 1st party site.  As it would be unexpected to occur in this scenario we'd ask that we determine a way for the 1st party to be notified in this case.

 

- Shane

 

Shane Wiley

VP, Privacy

Oath: A Verizon Company

Received on Monday, 21 August 2017 09:32:47 UTC