Re: Supporting TPE on sites/subdomains where a user does not have control of the server (ISSUE 15, ISSUE 10)

[To avoid repeating the same thing multiple times, I'll just repost this
 as a public response ...]

It is trivial for any hosting environment to set a header field.  E.g.,

  http://httpd.apache.org/docs/current/mod/mod_headers.html#header

Of course, content owners without admin rights are not normally given
direct access to the httpd config. Instead, they are given fixed configuration
options (a checkbox or few) in some sort of admin panel which is then
translated to some httpd config in the backend.

Complexity of Tk is going to be a function of how much variability of
tracking is allowed on the server as a whole.  In any case, it is no more
complex than the existing per-site or per-user configurations supported
by products like CPanel (https://cpanel.com/demo/) or wp-admin:

  https://en.support.wordpress.com/settings/privacy-settings/
  https://en.support.wordpress.com/category/embedding-content/
  https://en.support.wordpress.com/google-plus-embeds/

Note the last two links above.  The Tk value will only be accurate if
it is set by an administrator fully aware of the entire server's behavior,
which means some sort of programmatic summation of the content owner's
intended content and configuration.

Regardless, this entire discussion is misplaced.  Users are NOT interested,
for the most part, in the tracking policies of a first-party (HTML) site.
They are interested in the tracking policies of embedded third-party resources
linked to by that site.  We need Tk to be present on web beacons and ads,
which means images, javascript, and maybe the occasional css response.
Making Tk available only for HTML files is almost completely irrelevant to TPE,
particularly after the HTML has been requested.

All of this was taken into consideration when the present TPE mechanisms
were defined.  In order to justify a change in TPE, we should expect at least
some new information to be presented to question a prior consensus.


Cheers,

Roy T. Fielding                     <http://roy.gbiv.com/>
Senior Principal Scientist, Adobe   <https://www.adobe.com/>

Received on Tuesday, 31 January 2017 20:17:19 UTC