RE: Next 2 calls canceled (Oct 09 and Oct 16) from Mike O'Neill on 2017-10-12 (public-tracking@w3.org from October 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Thu, 12 Oct 2017 10:49:10 +0100
To: "'David Singer'" <singer@mac.com>
Cc: <public-tracking@w3.org>
Message-ID: <358101d3433f$5ace0c50$106a24f0$@baycloud.com>

>> This lets a bad actor misuse the API for fingerprinting. Specify an
arbitrary string then always get the same string back
>>in other requests.

>Um, Mike, it’s only going to servers that the user has agreed may track.
I’m not terribly fussed about improve the
>fingerprintability of users who already agree to being tracked.

The bad actor won't care if the user has agreed or not, they will just use
the API (from a subresource). It gets round any third-party cookie blocking,
so it will happen.

>> 
>>> However, for site-wide exceptions, especially ones that are not limited
to an enumerated list of domains,
>>> this exception causes DNT:0 to be sent to all embedded sites. I have
some anxiety that not all of them will understand. 
>>> On the other hand, why is the site registering for the exception asking
for site-wide exceptions if it’s not confident of
>>> the way that all embedded sites will handle ‘permission to track’ i.e.
the consequent DNT:0?  On the third hand, 
>>> the UA is allowed to take an site-specific exception request that HAS
got a list of domains that, when embedded on this site,
>> get DNT:0, and IGNORE that list and ‘broaden’ the request to a general
site-wide request.
>> 
>> The same DNT header does not have to be sent to every site-specific UGE
target. Bouncer, for example, calculates
>>the header for each request, using data from the requested origin as well
as the current parent. 
>>The purpose string would be similarly calculated after examining that
subresource's TSR.

>The user-agent can’t possibly do a fetch of a TSR in order to work out what
header to send in fetch 
>requests…I must misunderstand what you say here. It’s both circular and an
overhead.

When the store API is called it would fetch the TSRs for each of the
Targets, we already say they may do that. The TSRs are then put into domain
specific store (maybe just the purpose array ). When requests get sent the
domain store is examined (it must anyway, if only to get cookies) and the
DNT extension is calculated. Pretty efficient.


>

Received on Thursday, 12 October 2017 09:49:42 UTC