- From: Mike O'Neill <michael.oneill@baycloud.com>
- Date: Thu, 12 Oct 2017 10:49:10 +0100
- To: "'David Singer'" <singer@mac.com>
- Cc: <public-tracking@w3.org>
>> This lets a bad actor misuse the API for fingerprinting. Specify an arbitrary string then always get the same string back >>in other requests. >Um, Mike, it’s only going to servers that the user has agreed may track. I’m not terribly fussed about improve the >fingerprintability of users who already agree to being tracked. The bad actor won't care if the user has agreed or not, they will just use the API (from a subresource). It gets round any third-party cookie blocking, so it will happen. >> >>> However, for site-wide exceptions, especially ones that are not limited to an enumerated list of domains, >>> this exception causes DNT:0 to be sent to all embedded sites. I have some anxiety that not all of them will understand. >>> On the other hand, why is the site registering for the exception asking for site-wide exceptions if it’s not confident of >>> the way that all embedded sites will handle ‘permission to track’ i.e. the consequent DNT:0? On the third hand, >>> the UA is allowed to take an site-specific exception request that HAS got a list of domains that, when embedded on this site, >> get DNT:0, and IGNORE that list and ‘broaden’ the request to a general site-wide request. >> >> The same DNT header does not have to be sent to every site-specific UGE target. Bouncer, for example, calculates >>the header for each request, using data from the requested origin as well as the current parent. >>The purpose string would be similarly calculated after examining that subresource's TSR. >The user-agent can’t possibly do a fetch of a TSR in order to work out what header to send in fetch >requests…I must misunderstand what you say here. It’s both circular and an overhead. When the store API is called it would fetch the TSRs for each of the Targets, we already say they may do that. The TSRs are then put into domain specific store (maybe just the purpose array ). When requests get sent the domain store is examined (it must anyway, if only to get cookies) and the DNT extension is calculated. Pretty efficient. >
Received on Thursday, 12 October 2017 09:49:42 UTC