- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Mon, 31 Jul 2017 19:31:10 +0100
- To: "'Roy T. Fielding'" <fielding@gbiv.com>
- Cc: <public-tracking@w3.org>
Roy, the previous API only had the domain property (in the dictionary), not the arrayOfDomainStrings which was just for site-specific. The domain property defaulted to script-origin domain or it could specify subdomains off the main domain (only). With the latest change an iframe can set web-wide on other domains (via the target property) unrelated to its main domain. You are correct that the old API evolved to allow iframes to register web-wide for their own domain (or subdomain), but that is why we added the TSR requirement as a check. For web-wide exceptions under this new structure, perhaps the UA must require a valid TSR, and either check the target domains each have a TSR, or check they are referenced in the script-origin TSR's same-party property. On 9.1, I think the DPAs have a pretty good understanding of the TPE. Specifying that browsers have the general preference defaulted on in Europe could be a way to signal to US based sub-resource servers that they are being accessed in an opt-in jurisdiction. It might be true that US companies will ignore it, but we cannot know they will or what will happen if they do. I think those decisions are best left to the compliance document drafters. -----Original Message----- From: Roy T. Fielding [mailto:fielding@gbiv.com] Sent: 31 July 2017 18:07 To: Mike O'Neill <michael.oneill@baycloud.com> Cc: public-tracking@w3.org Subject: Re: do we have cause for a call on monday? > On Jul 31, 2017, at 9:08 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote: > > It looks like the meeting is cancelled, but I would like to raise 3 issues with Roy's changes2 substantive and 1 editorial.. > > The main one is the change in the API which, although I like the new structure, creates a new danger in that web-wide consent can now be registered by sub-resource iframes. > > If an iframe script-origin sets site to '*' and target to a set of domains, then each of those domains gets a web-wide exception. I think that makes it too easy for bad actors. > > I think web-wide registering should be limited to the top-level domain. I agree, but that was a problem with the previous API as well, right? Or is there another requirement in another section that has yet to be moved over? In any case, yes, we should require that in the API. > My other beef is with 9.1 which I think is unnecessary. It also contradicts what European DPAs have been saying. We should leave this up to compliance specs. No, we are writing it specifically because what some DPAs have been saying is a misunderstanding of the DNT specification and how the technology works. They are not expected to understand our protocol right now. It is our duty to explicitly correct those misunderstandings. If we don't, this entire effort will have failed. This isn't about compliance. It is a core aspect of the protocol design and this spec cannot proceed to REC if implementations are sending DNT by default, whether or not that is mandated by a government agency. DNT would lose the last excuse sites have to implement. > The editorial point is 7.9 para 2 . This should say the promise is rejected, not that the call throws an exception It actually means the same for webIDL, but we should be consistent. ....Roy
Received on Monday, 31 July 2017 18:32:09 UTC