W3C home > Mailing lists > Public > public-tracking@w3.org > July 2017

RE: do we have cause for a call on monday?

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Mon, 31 Jul 2017 19:31:10 +0100
To: "'Roy T. Fielding'" <fielding@gbiv.com>
Cc: <public-tracking@w3.org>
Message-ID: <2e8201d30a2b$2ec5c1e0$8c5145a0$@baycloud.com>
Roy, the previous API only had the domain property (in the dictionary), not
the arrayOfDomainStrings which was just for site-specific. The domain
property defaulted to script-origin domain or it could specify subdomains
off the main domain (only). With the latest change an iframe can set
web-wide on other domains (via the target property) unrelated to its main

You are correct that the old API evolved to allow iframes to register
web-wide for their own domain (or subdomain), but that is why we added the
TSR requirement as a check. 

For web-wide exceptions under this new structure, perhaps the UA  must
require a valid TSR, and either check the target domains each have a TSR, or
check they are referenced in the script-origin TSR's same-party property. 

On 9.1, I think the DPAs have a pretty good understanding of the TPE.
Specifying that browsers have the general preference defaulted on in Europe
could be a way to signal to US based sub-resource servers that they are
being accessed in an opt-in jurisdiction. It might be true that US companies
will ignore it, but we cannot know they will or what will happen if they do.

I think those decisions are best left to the compliance document drafters.


-----Original Message-----
From: Roy T. Fielding [mailto:fielding@gbiv.com] 
Sent: 31 July 2017 18:07
To: Mike O'Neill <michael.oneill@baycloud.com>
Cc: public-tracking@w3.org
Subject: Re: do we have cause for a call on monday?

> On Jul 31, 2017, at 9:08 AM, Mike O'Neill <michael.oneill@baycloud.com>
> It looks like the meeting is cancelled, but I would like to raise 3 issues
with Roy's changes2 substantive and 1 editorial..
> The main one is the change in the API which, although I like the new
structure, creates a new danger in that web-wide consent can now be
registered by sub-resource iframes.
> If an iframe script-origin sets site to '*' and target to a set of
domains, then each of those domains gets a web-wide exception. I think that
makes it too easy for bad actors.
> I think web-wide registering should be limited to the top-level domain.

I agree, but that was a problem with the previous API as well, right? Or is
there another requirement in another section that has yet to be moved over?
In any case, yes, we should require that in the API.

> My other beef is with 9.1 which I think is unnecessary. It also
contradicts what European DPAs have been saying. We should leave this up to
compliance specs.

No, we are writing it specifically because what some DPAs have been saying
is a misunderstanding of the DNT specification and how the technology works.
They are not expected to understand our protocol right now. It is our duty
to explicitly correct those misunderstandings. If we don't, this entire
effort will have failed.

This isn't about compliance. It is a core aspect of the protocol design and
this spec cannot proceed to REC if implementations are sending DNT by
default, whether or not that is mandated by a government agency. DNT would
lose the last excuse sites have to implement.

> The editorial point is 7.9 para 2 . This should say the promise is
rejected, not that the call throws an exception

It actually means the same for webIDL, but we should be consistent.

Received on Monday, 31 July 2017 18:32:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:40:36 UTC