Re: TPE latest from Shane M Wiley on 2017-08-30 (public-tracking@w3.org from August 2017)

From: Shane M Wiley <wileys@oath.com>
Date: Wed, 30 Aug 2017 09:26:28 -0700
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: public-tracking@w3.org
Message-ID: <CAEwb2y=g=wzFWy=uqnx_N51Lc0S1xsLYookNS8UFjatRnNNjpQ@mail.gmail.com>
Duh - I misread it.  Mental note - drink caffeine prior to document
reviews.  Apologies.

- Shane

On Wed, Aug 30, 2017 at 9:17 AM, Roy T. Fielding <fielding@gbiv.com> wrote:

>
> On Aug 30, 2017, at 8:01 AM, Shane M Wiley <wileys@oath.com> wrote:
>
> Mike and Group,
>
> This statement "*A site can request an exception be stored even when the
> user's general preference is not enabled."*  is a bit misleading as an
> exception can be stored at any time if the user has granted consent -
> regardless of their general preference.
>
>
> That's exactly what it says. What am I missing?
>
> ....Roy
>
> For example, the general preference maybe DNT:1 to all sites UNTIL an
> exception is granted.  Not sure when this language made it's way into the
> document but it isn't what we've been discussing.
>
> - Shane
>
> On Wed, Aug 30, 2017 at 6:32 AM, Mike O'Neill <michael.oneill@baycloud.com
> > wrote:
>
>> Roy,
>>
>>
>>
>> This is very good, I am happy with it except for the following nits:
>>
>>
>>
>> 6.3 para 4
>>
>>
>>
>> *A first party site's page (the top-level browsing context) might be used
>> to obtain site-specific consent for multiple parties; e.g., using multiple
>> iframe elements containing scripts that can convey information about each
>> party's policies and obtain specific consent for each party. In this case,
>> the effective script origin might be different from the site for which
>> consent is being granted.*
>>
>>
>>
>> It can be also web-wide also now, and consent is always being granted for
>> the script origin, or a subdomain of it (or site-specific consent for a
>> subresource of it). Suggested change:
>>
>>
>>
>> *A first party site's page (the top-level browsing context) might be used
>> to obtain site-specific or web-wide consent for multiple parties; e.g.,
>> using multiple iframe elements containing scripts that can convey
>> information about each party's policies and obtain specific consent for
>> each party. In this case, consent is being obtained for the effective
>> script origin of the iframe's responsible document, which could be
>> different from that of the top-level browsing context.*
>>
>>
>>
>>
>>
>> 6.3 para 6
>>
>>
>>
>> *A site can request an exception be stored even when the user's general
>> preference is not enabled. This permits the sending of DNT only for target
>> resources for which an expressed preference is desired. Stored exceptions
>> could affect which preference is transmitted if a user later chooses to
>> configure a general tracking preference.*
>>
>>
>>
>> This is a bit unclear, especially the meaning of the last sentence. We
>> should say this is only about DNT:0, and remove the last sentence which
>> does not really add anything. It is a MAY anyway, so best leave it to the
>> browser provider. Suggested change:
>>
>>
>>
>> *A site can request an exception be stored even when the user's general
>> preference is not enabled. This permits the sending of DNT:0 only for
>> target resources for which the expressed preference is desired. *
>>
>>
>>
>> 6.6.1, 6.6.2, 6.6.3 description of “targets” property.
>>
>>
>>
>> *targets*
>>
>> An array of target domains for which the exception applies:
>>
>>    - If targets
>>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> is
>>    undefined or null, the user-granted exception to be stored is
>>    [site, *], meaning that the exception applies to all domains
>>    referenced by the site.
>>    - If targets
>>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> is
>>    an empty array, the user-granted exception to be stored is
>>    [site, script domain], meaning that the exception applies only to
>>    resources that share the same domain as the effective script origin
>>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dfn-effective-script-origin>
>>    .
>>    - Otherwise, for each domain string in the targets
>>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> array,
>>    a user-granted exception to be stored is the duplet [site, domain].
>>
>>
>>
>> It is unclear if the script origin always receives  an exception, which
>> was the case before. A “domain referenced by the site” implicitly includes
>> the script origin, and the empty array case specifically includes it, so it
>> would make sense to cover this also for the non-empty targets case.
>> Suggested change:
>>
>>
>>
>>
>>
>>
>>
>> *targets*
>>
>> An array of target domains for which the exception applies:
>>
>>    - If targets
>>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> is
>>    undefined or null, the user-granted exception to be stored is
>>    [site, *], meaning that the exception applies to all domains
>>    referenced by the site.
>>    - If targets
>>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> is
>>    an array, the user-granted exception to be stored is at least
>>    [site, script domain], meaning that the exception applies to
>>    resources that share the same domain as the effective script origin
>>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dfn-effective-script-origin>
>>    .
>>    - Additionally, for each domain string in the targets
>>    <https://w3c.github.io/dnt/drafts/tracking-dnt.html#dom-trackingexdata-targets> array,
>>    a user-granted exception is stored for the the duplet [site, domain].
>>
>>
>>
>> Mike
>>
>
>
>
> --
> - Shane
>
> Shane Wiley
> VP, Privacy
> Oath: A Verizon Company
>
>


-- 
- Shane

Shane Wiley
VP, Privacy
Oath: A Verizon Company
Received on Wednesday, 30 August 2017 16:26:53 UTC