- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Thu, 11 May 2017 17:39:49 +0100
- To: "'Matthias Schunter \(Intel Corporation\)'" <mts-std@schunter.org>, <public-tracking@w3.org>
Matthias, The user can already "choose to constrain an exception to a subset of third parties" if the server allows him to. That is what the arrayOfDomainStrings parameter is for. At the moment, because the TPE must enforce "one out, all out", the user agent in its own UI can only allow the user to change what has been established during their interaction with the server by revoking all of them at once. It cannot allow the user to selectively change the set of third-parties once they are granted. Although the API adds nothing in the "site-wide site-specific" edge case, I think it may still be useful because it allows a top-level (or parent) server to find out what embedded resources are loaded by it and its descendants. They might use that to offer the user control over them individually or use it for debugging. I do not think there is any harm in it as long as the full urls are not conveyed. For safety it should only be enabled if the server wants it to be, via a special indication carried in the TSR. I also do not mind the "wasBlocked" indication, as long as it is for generic or UA policy reasons, and cannot be used to find out find-grained content blocker information. This is a different issue to the arrayOfDomainStrings bug. We need to start another issue for that. Shall I do that? Mike -----Original Message----- From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org] Sent: 11 May 2017 16:10 To: public-tracking@w3.org Subject: Re: [w3c/dnt] Add more meta data in the Tracking Status Resource (#22) Hi Folks, If we want to codify this in the spec, we would say something like "by exceptions SHOULD be all-or-nothing" "the user MAY choose to constrain an exception to a subset of third parties. In this case, it MUST [language on truthful reporting the TPs that did not get DNT;0" by populating return values into the API]. Would we agree on this approach? IMHO it would provide the overall desired balance: - Transparency for users - By default all-or-nothing behavior for exceptions for publishers - Freedom to allow users to blacklist some limited number of sites - Guarantee to honestly report any unexpected constraints to publisher Regards, matthias On 10.05.2017 19:39, Mike O'Neill wrote: > I agree it should be OK for the UA to let the user choose, but the TPE > says the set of targets should be “handled as a unit”, so “one out, all > out”. > > > > The only way DNT:0 would not be sent would be if the request was > blocked, or the UAs implementation of the TPE had a bug. I think > requiring the UA to report its own bug is bizarre. > > > > > > > > > > > > *From:*Shane Wiley [mailto:wileys@yahoo-inc.com] > *Sent:* 10 May 2017 17:26 > *To:* Mike O'Neill <michael.oneill@baycloud.com>; public-tracking@w3.org > *Subject:* Re: [w3c/dnt] Add more meta data in the Tracking Status > Resource (#22) > > > > Or it manages the outcome where a browser provides independent domain > control to a user regardless of the "all or nothing" proposition > currently stated in the TPE. > > > > I'm personally okay with a user making domain level decisions that go > against the Site-Wide Exception that was originally granted as that > should be their choice. But we need balance in transparency to > understand the choices the user has made so as a publisher I know how to > react from there. > > > > - Shane > > > > Shane Wiley > VP, Privacy > Yahoo > > > > ------------------------------------------------------------------------ > > *From:*Mike O'Neill <michael.oneill@baycloud.com > <mailto:michael.oneill@baycloud.com>> > *To:* public-tracking@w3.org <mailto:public-tracking@w3.org> > *Sent:* Wednesday, May 10, 2017 3:08 AM > *Subject:* RE: [w3c/dnt] Add more meta data in the Tracking Status > Resource (#22) > > > > If site-wide exception exists then it is a bug if a non-empty set of > > subresources receives anything other than DNT:0. > > > > If the user revokes their consent for any then no subdomains will get DNT:0 > > (because they MUST be handled as a unit) > > > > This is an API for a user agent to report it has a bug, which is pointless. > > > > > > >
Received on Thursday, 11 May 2017 16:40:48 UTC