W3C home > Mailing lists > Public > public-tracking@w3.org > August 2017

Re: TPE - Questions around UGE API Consolidation

From: Shane M Wiley <wileys@oath.com>
Date: Mon, 21 Aug 2017 07:13:46 -0700
Message-ID: <CAEwb2ykYFHpCgE_HxOSn=YQrD53CvVpCNjknRx_9LtxQHxs=QQ@mail.gmail.com>
To: "Mike O'Neill" <michael.oneill@baycloud.com>
Cc: public-tracking@w3.org
Mike,

As long as a browser could enforce the rule such that it is a technical
implementation rather than a policy one, then I think we're good from our
perspective.

- Shane

On Mon, Aug 21, 2017 at 3:09 AM, Mike O'Neill <michael.oneill@baycloud.com>
wrote:

> Shane,
>
>
>
> On your second point I agree it should not be possible for a subresource
> to register an exception for the first-party without the first-party being
> aware of it.
>
>
>
> CSP has a reporting feature we could copy, but care would have to be taken
> it did not introduce another privacy or security risk.
>
>
>
> Perhaps we should just rule it out, making the first-party always
> responsible. Or allow it only if the first-party explicitly enables it say
> by a Boolean in the TSR, “allowThirdPartyUGE”
>
>
>
> Mike
>
>
>
>
>
> *From:* Shane M Wiley [mailto:wileys@oath.com]
> *Sent:* 21 August 2017 02:10
> *To:* public-tracking@w3.org
> *Subject:* TPE - Questions around UGE API Consolidation
>
>
>
> *Multi-Domain First Party:*  Many websites operate under more than one
> core domain to manage their resources in a distributed manner or across
> individual product domains under the corporate domain.  Our team has not
> reviewed the UGE API since the consolidation and noticed on this pass that
> the ability to send multiple first party domains as part of a site wide
> exception has been lost in the new approach.  It appears only a single
> "site" can be provided per call now requiring multiple API calls for the
> same entity.  For example, www.yahoo.com and www.yimg.net would each
> require a separate call.  It doesn't appear there was a desire to force to
> a same origin policy here such that only the host domain can request a
> site-wide exception for its domain so would it be possible to include the
> "site" array property again?
>
>
>
> *3rd Parties Registering Exceptions on 1st Party Sites:*  It appears it
> may be possible for a 3rd party to attempt to register a user granted
> exception while operating on a 1st party site.  As it would be unexpected
> to occur in this scenario we'd ask that we determine a way for the 1st
> party to be notified in this case.
>
>
>
> - Shane
>
>
>
> Shane Wiley
>
> VP, Privacy
>
> Oath: A Verizon Company
>



-- 
- Shane

Shane Wiley
VP, Privacy
Oath: A Verizon Company
Received on Monday, 21 August 2017 14:14:11 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:39 UTC