- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Mon, 23 Jan 2017 19:56:20 -0000
- To: "'Matthias Schunter \(Intel Corporation\)'" <mts-std@schunter.org>, <public-tracking@w3.org>
Hi Matthias,
Good summary. I agree the "pretending to support DNT" issue makes it a tricky trade-off between ease of implementation and confirmability.
The status-id extension (to the Tk header) allows for multiple TSRs so maybe that’s enough. In the "wordpress" use case the hosting site could support different status-ids for its customers, who could qualify the default TSR by supplying a status-id in the http-equiv="Tk" tag if need be.
The big brand sites can handle the logistic problem by doing redirects, which is not that hard (though a bit harder than the way it is done ATM).
So I agree with your compromise.
Mike
-----Original Message-----
From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org]
Sent: 23 January 2017 18:16
To: public-tracking@w3.org (public-tracking@w3.org) <public-tracking@w3.org>
Subject: Supporting TPE on sites/subdomains where a user does not have control of the server (ISSUE 15, ISSUE 10)
Hi TPWG,
today, we discussed how to resolve ISSUE10 and 15.
I discussed our pros and cons below. My proposed resolution is:
(A) We only allow TSR at the well-known resources to ensure discovery in
one location and also before visiting a URL. It also ensures that a page
owner cannot "pretend" to do DNT without support of the server admins.
The server admins can allow users to post their TSR under given IDs.
(B) We allow http-equiv to be used to deliver the header. This
simplifies deployment and allows a page owner to add an ID that
identifies the policy that it used.
Below is my detailed arguments. Any feedback/opinion/pojnts I missed?
Regards,
matthias
-------------------
SCENARIO
The scenario is that you use a subdomain / some pages / .. on a server
that you do not fully control.
E.g. a hosting provider, wordpress, tumblr, ...
You want to support DNT on your pageswithout requiring the server admins
to actively help.
MIKE PROPOSAL
- Header: Page owner is allowed to deliver DNT header via http-equiv
- Tracking Status: Instead of using a well-known resource, http-equiv
could also point to a URL
that points to the tracking status resource.
DISCUSSION
- PRO
+ Allows page/subdomain owners to support DNT without explicit support
of server admins
- CONTRA
- Without any server support, a page owner cannot know whether the
server tech stack indeed
implements the desired policies (e.g. logging/cookies/retention
could still continue)
- Discoverability is limited since each page could publish its own policy
- If a Tracking Status Resourfce is published at the well-known URL,
this may be superseded /conflicted with a page-policy
DISCUSSION 1: TSR / we-known URI
* Without any server support, pretending to support DNT is not soundly
possible
=> Consequence: We have to assume that the server helps
* If the server helps, the server admins could allow posting TSRs under
different IDs under the well-known URI
* Then the header can point to one of those IDs.
DISCUSSION 2: Support for headers
* If a user has only HTML access, then it is hard to send headers.
* In this scenario, a http-equiv would simplify delivery of the DNT signals
PROPOSED RESOLUTION
- We continue to require TSR to be posted under an ID at the well-known
resource
- Better discovery
- Ensures that the server admins cooperate
- We allow http-equiv delivery of the header for a particular page
- Simplifies deployment
- Allows pages to set their ID
- Proposed conflict resolution: Header overrides http-equiv since
the header is more likely to come from the server owners.
Received on Monday, 23 January 2017 19:57:25 UTC