RE: Supporting TPE on sites/subdomains where a user does not have control of the server (ISSUE 15, ISSUE 10) from Mike O'Neill on 2017-02-01 (public-tracking@w3.org from February 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 1 Feb 2017 20:26:34 -0000
To: "'Roy T. Fielding'" <fielding@gbiv.com>
Cc: <public-tracking@w3.org>
Message-ID: <028601d27cc9$7bee4810$73cad830$@baycloud.com>

I do not see the difference, If you cut & paste a CSP from one site to another it neither fails or succeeds in being "true", it is just nonsense. Similarly if you cut & paste Tk: N;cust1 to a different site, it is meaningless therefore also wrong.

Anyway this not about cutting and pasting, it is about making it easier for a site's controller to dynamically report tracking status (and perhaps policy) to a user's browser. Whether it is conveyed in the head section of content or a response header hardly matters in the circumstances we are talking about. Other situations (e.g. servers for  third-party sub-resources) are dealt with by pre-existing headers taking precedence.

-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com] 
Sent: 31 January 2017 19:16
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: public-tracking@w3.org (public-tracking@w3.org) (public-tracking@w3.org) <public-tracking@w3.org>
Subject: Re: Supporting TPE on sites/subdomains where a user does not have control of the server (ISSUE 15, ISSUE 10)

> On Jan 24, 2017, at 10:18 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote:
> 
> Roy,
> 
> CSP gets delivered via meta http-equiv="csp"
> 
> https://www.w3.org/TR/CSP2/#delivery-html-meta-element
> 
> for same reasons. If the response header is there the meta tag gets ignored. Allowing the option lets a hosted site return a status-id (in a meta tag) then that can point to controller specific TSR, and also lets it claim Tk: C for OOBC if the API isn’t there. As long as the tag gets ignored if the header is already there makes it fine IMO
> 
> Mike

CSP sets a security policy for the included content embedding in the HTML.
It does not fail to be true when you copy and paste it to another server,
even if that move causes embedded requests to fail.

Tk describes the service controller's policy regarding tracking during
this and future requests.  Copy and paste it to another server and the
claim will be false.

HTML page is content.  Tracking policy is not.

....Roy

Received on Wednesday, 1 February 2017 20:27:41 UTC