- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Tue, 13 Jun 2017 20:59:38 +0100
- To: <singer@apple.com>
- Cc: <public-tracking@w3.org>
What I suggested was that any domain without a DNT exception, not a member of same-party, or not a member of other-party would be blocked by the UA, but only if the other-party array existed. Some UAs might do that, others not. If sites assume the worst then they will take care that the other-party list is accurate. If they don't want the functionality they do not supply other-party. This is the same with CSPs. If sites forget to add domains to source-lists they can find them being blocked. But it is useful functionality worth putting effort in for accuracy. ----Original Message----- From: singer@apple.com [mailto:singer@apple.com] Sent: 13 June 2017 20:25 To: Mike O'Neill <michael.oneill@baycloud.com> Cc: public-tracking@w3.org Subject: Re: CFO Issue 22 > On Jun 13, 2017, at 12:16 , Mike O'Neill <michael.oneill@baycloud.com> wrote: > > David, > > The same-party description is similar, lots of use of mays and mights on how the UA will deal with it. But there is an important qualification: this data controller is claiming that those sites are also under him: "share the same data controller as the designated resource” > This is at least extensible (because it is an array of objects, and objects can have additional properties) and its meaning is clear - all the domains a controller is aware of that can appear as subresources, and are not same-party. The meaning is far from clear. This array can contain a random list of sites that might or might not appear. There is literally nothing that can be relied on to be true. > If the browser supports the JS API the site can add to these with domains the user has given consent to, so anything that is not in same-party, other-party or arrayOfDomainStrings can be suspect if the UA is designed that way. So, The Swampville Gazette names WeatherOrWhat as an other-party because someone remembered they pulled in a weather widget, and also NefariousAds, because they had a contract with them once but forgot to remove them when the contract wasn’t renewed. The other-party array doesn’t mention StocksAreUs, which has recently been used to give market condition reports. I visit Swampville Gazette. The other-party array warns me incorrectly about NefariousAds but not StocksAreUs. What am I (user-agent) supposed to understand or do? > > Mike > > -----Original Message----- > From: singer@apple.com [mailto:singer@apple.com] > Sent: 13 June 2017 18:40 > To: Mike O'Neill <michael.oneill@baycloud.com> > Cc: public-tracking@w3.org > Subject: Re: CFO Issue 22 > > Mike > > unfortunately, a CfO works by accepting only one alternative; no compromise or editing. I raised these concerns in the debate, but for whatever reason, they were not addressed. > > Your answer below is full of ‘would’s and ‘could’s, which actually serves to make my point: the field, as specified now, is woefully under-specified. It strays so far into flexibility and away from anything normative (and hence standardized) that I can’t agree it strikes any kind of balance at all. > > > >> On Jun 13, 2017, at 10:33 , Mike O'Neill <michael.oneill@baycloud.com> wrote: >> >> How the domains are allocated or categorised would often be a legally determined. A compliance document could describe this and another property (on the other-party object) could convey the category names. "other-party" refers to domains, so there will always need to be a "domain" property, and there are several of them so it needs to be an array (of objects). Other properties (on the object) can convey further information, depending on the jurisdiction or the requirements of the site or service. >> >> I think this definition strikes a reasonable balance between standardisation and flexibility. If we are allowed further time maybe others would agree to more detail? >> >> -----Original Message----- >> From: singer@apple.com [mailto:singer@apple.com] >> Sent: 13 June 2017 17:18 >> To: public-tracking@w3.org (public-tracking@w3.org) <public-tracking@w3.org> >> Subject: Re: CFO Issue 22 >> >> I get that people would the tracking resource to say something useful about other parties, but I urge people to read the specification text proposed, and understand that it is so imprecise that it could contain a random list of sites. There’s nothing there that anyone can rely on. >> >> As Roy says, if someone else is going to write a crisper, actionable, clarification, then that specification could simply supply the whole definition. Instead of writing “The other-parties field MUST contain [x] and MUST NOT contain [y]” they write “the well-known resource is extended with a field other-parties, which…”. There is no value derived from, and a lot of potential problems caused by, us under-defining a field: it would be ‘polluted’ in practice, with unusable values, and no one would be able to rely on it for anything. >> >> >> David Singer >> Manager, Software Standards, Apple Inc. >> >> >> > > David Singer > Manager, Software Standards, Apple Inc. > > > David Singer Manager, Software Standards, Apple Inc.
Received on Tuesday, 13 June 2017 20:00:43 UTC