- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 31 Jul 2017 10:06:55 -0700
- To: Mike O'Neill <michael.oneill@baycloud.com>
- Cc: public-tracking@w3.org
> On Jul 31, 2017, at 9:08 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > > It looks like the meeting is cancelled, but I would like to raise 3 issues with Roy's changes2 substantive and 1 editorial.. > > The main one is the change in the API which, although I like the new structure, creates a new danger in that web-wide consent can now be registered by sub-resource iframes. > > If an iframe script-origin sets site to '*' and target to a set of domains, then each of those domains gets a web-wide exception. I think that makes it too easy for bad actors. > > I think web-wide registering should be limited to the top-level domain. I agree, but that was a problem with the previous API as well, right? Or is there another requirement in another section that has yet to be moved over? In any case, yes, we should require that in the API. > My other beef is with 9.1 which I think is unnecessary. It also contradicts what European DPAs have been saying. We should leave this up to compliance specs. No, we are writing it specifically because what some DPAs have been saying is a misunderstanding of the DNT specification and how the technology works. They are not expected to understand our protocol right now. It is our duty to explicitly correct those misunderstandings. If we don't, this entire effort will have failed. This isn't about compliance. It is a core aspect of the protocol design and this spec cannot proceed to REC if implementations are sending DNT by default, whether or not that is mandated by a government agency. DNT would lose the last excuse sites have to implement. > The editorial point is 7.9 para 2 . This should say the promise is rejected, not that the call throws an exception It actually means the same for webIDL, but we should be consistent. ....Roy
Received on Monday, 31 July 2017 17:07:19 UTC