ISSUE-182: protocol for user agents to indicate whether a request with DNT set is 1st party or 3rd party

protocol for user agents to indicate whether a request with DNT set is 1st party or 3rd party

State:
CLOSED
Product:
Tracking Preference Expression (DNT)
Raised by:
Mike O'Neill
Opened on:
2012-10-20
Description:
Because request handlers on Servers may in some jurisdictions react differently to 1st party and 3rd party requests, there should be a way for these handlers to transparently differentiate between them. This, together with the returned tracking status response, will also enable external auditing of logs for DNT compliance. Additionally, in the case of DNT:0 being signalled to reflect the registration of an exception it is also beneficial for the top-level document origin of a 3rd party request to be encoded in the header so that a retained log could be used later as proof of consent, and to aid the debugging of 1st party sites that called the API erroneously.

This is especially important now with the new exception API where the user-agent is not required to confirm agreement with the user.

As an example, here is an edited version of the DNT header ABNF definition that allows user-agents to signal this, and also allows for new extensions to be added as [name,value] pairs. The top level origin is only communicated when the DNT: 0 preference is indicated to inhibit fingerprinting. It could replace paragraph 4.2 in the TPE.

<TEXT>

The DNT header field is hereby defined as the means for expressing a user's tracking preference via HTTP [HTTP11].
DNT-field-name = "DNT" ; case-insensitive
DNT-field-value = DNT-preference *(DNT-qualifier *("," DNT-qualifier))
DNT-preference = "0" / "1"
DNT-qualifier = DNT-qualifier-name *("=" DNT-qualifier-value)
DNT-qualifier-name = first-party-descriptor / third-party-descriptor / DNT-extension-name
DNT-qualifier-value = top-level-host / DNT-extension-value
DNT-extension-name = %x21 / %x23-2B / %x2D-5B / %x5D-7E ; excludes CTL, SP, DQUOTE, comma, backslash
DNT-extension-value = %x21 / %x23-2B / %x2D-5B / %x5D-7E ; excludes CTL, SP, DQUOTE, comma, backslash
first-party-descriptor = "f"
third-party-descriptor = "t=" top-level-host

top-level-host is defined as the host subcomponent (as per RFC3986) of the URI of the top-level page.

A user agent must send the DNT header field on all HTTP requests if (and only if) a tracking preference is enabled. A user agent must not send the DNT header field if a tracking preference is not enabled.

The DNT-preference sent by a user agent MUST begin with the numeric character "1" (%x31) if a tracking preference is enabled, the preference is for no tracking, and there is not a site-specific exception for the origin server targeted by this request.

The DNT-preference sent by a user agent MUST begin with the numeric character "0" (%x30) if a tracking preference is enabled and the preference is to allow tracking in general or by specific exception for the origin server targeted by this request.

The DNT-qualifier third-party-descriptor MUST be present if the DNT-preference is "0" and this HTTP request is for a 3rd party resource, i.e. where the host subcomponent of the request URI is for a different document origin than the top level page.

The DNT-qualifier first-party-descriptor MAY be present if the DNT-preference is "1" and this HTTP request is for a 1st party resource, i.e. where this request is for a top=level page or the host subcomponent of the request URI is for the same document origin as the top level page.

Example ; DNT 1 preference sent to a 3rd party resource

GET /image- HTTP/1.1
Host: imagecloud.com
DNT: 1

Example ; DNT 1 preference sent to a 1st party resource

GET /something/here HTTP/1.1
Host: example.com
DNT: 1f

Example ; DNT 0 preference sent to a 3rd party resource

GET /image HTTP/1.1
Host: imagecloud.com
DNT: 0t=example.com

An HTTP intermediary MUST NOT add, delete, or modify the DNT header field in requests forwarded through that intermediary unless that intermediary has been specifically installed or configured to do so by the user making the requests. For example, an Internet Service Provider must not inject “DNT: 1” on behalf of all of their users who have not expressed a preference.

The DNT-extension-name rule is reserved for future extensions. User agents that do not implement such extensions must not send them, and Servers that do not implement such extensions should ignore them.

DNT extensions are to be interpreted as modifiers to the main preference expressed by the first digit, such that the main preference will be obeyed if the recipient does not understand the extension. Hence, a DNT-field-value of "1xyz" can be thought of as “do not track, but if you understand the refinements defined by x, y, or z, then adjust my preferences according to those refinements.” DNT extensions can only be transmitted when a tracking preference is enabled.

The extension syntax is restricted to visible ASCII characters that can be parsed as a single word in HTTP and safely embedded in a JSON string without further encoding (section 5.5.3 Representation). Since the DNT header field is intended to be sent on every request, when enabled, designers of future extensions ought to use as few extension characters as possible.
</TEXT>
Related Actions Items:
No related actions
Related emails:
  1. RE: Batch closing of TPE related issues (from wileys@yahoo-inc.com on 2013-06-12)
  2. Re: Batch closing of TPE related issues (from mts-std@schunter.org on 2013-06-12)
  3. Re: ISSUE-192 (Re: Batch closing of TPE related issues) ISSUE-201 (from mts-std@schunter.org on 2013-06-12)
  4. Re: Batch closing of TPE related issues (from mts-std@schunter.org on 2013-06-12)
  5. RE: Batch closing of TPE related issues (from michael.oneill@baycloud.com on 2013-06-12)
  6. RE: Batch closing of TPE related issues (from wileys@yahoo-inc.com on 2013-06-12)
  7. RE: Batch closing of TPE related issues (from wileys@yahoo-inc.com on 2013-06-12)
  8. Re: Batch closing of TPE related issues (from rob@blaeu.com on 2013-06-12)
  9. Re: Batch closing of TPE related issues (from mts-std@schunter.org on 2013-06-12)
  10. Re: Batch closing of TPE related issues (from npdoty@w3.org on 2013-06-12)
  11. RE: Batch closing of TPE related issues (from wileys@yahoo-inc.com on 2013-06-10)
  12. Re: Batch closing of TPE related issues (from mts-std@schunter.org on 2013-06-10)
  13. ISSUE-192 (Re: Batch closing of TPE related issues) (from rob@blaeu.com on 2013-06-06)
  14. Re: Batch closing of TPE related issues (from rob@blaeu.com on 2013-06-06)
  15. Re: Batch closing of TPE related issues (Deadline: June 12) (from mts-std@schunter.org on 2013-06-05)
  16. Batch closing of TPE related issues (from mts-std@schunter.org on 2013-06-04)
  17. Revision on agenda -- deID decisions now on Tuesday (from peter@peterswire.net on 2013-02-04)
  18. Agenda update for Monday and Tuesday in Cambridge (compliance spec) (from peter@peterswire.net on 2013-02-04)
  19. Re: TPWG agenda for Wednesday, January 16 (from jmayer@stanford.edu on 2013-01-30)
  20. Re: TPWG agenda for Wednesday, January 16 (from singer@apple.com on 2013-01-29)
  21. Re: tracking-ISSUE-182 (MikeO): protocol for user agents to indicate whether a request with DNT set is 1st party or 3rd party [Tracking Preference Expression (DNT)] (from rigo@w3.org on 2012-11-01)
  22. RE: tracking-ISSUE-182 (MikeO): protocol for user agents to indicate whether a request with DNT set is 1st party or 3rd party [Tracking Preference Expression (DNT)] (from michael.oneill@baycloud.com on 2012-10-31)
  23. RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from fredandw@live.com on 2012-10-24)
  24. RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from fredandw@live.com on 2012-10-24)
  25. Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from ifette@google.com on 2012-10-23)
  26. Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from ifette@google.com on 2012-10-23)
  27. RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from fredandw@live.com on 2012-10-23)
  28. Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from ifette@google.com on 2012-10-23)
  29. RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from michael.oneill@baycloud.com on 2012-10-23)
  30. RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from michael.oneill@baycloud.com on 2012-10-23)
  31. Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from ifette@google.com on 2012-10-23)
  32. Re: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from fielding@gbiv.com on 2012-10-23)
  33. FW: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from michael.oneill@baycloud.com on 2012-10-23)
  34. RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from fredandw@live.com on 2012-10-23)
  35. RE: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from michael.oneill@baycloud.com on 2012-10-23)
  36. FW: tracking-ISSUE-183 (Tk E ): Additional Tk header status value for EU [Tracking Preference Expression (DNT)] (from michael.oneill@baycloud.com on 2012-10-22)
  37. RE: tracking-ISSUE-182 (MikeO): protocol for user agents to indicate whether a request with DNT set is 1st party or 3rd party [Tracking Preference Expression (DNT)] (from wileys@yahoo-inc.com on 2012-10-20)
  38. tracking-ISSUE-182 (MikeO): protocol for user agents to indicate whether a request with DNT set is 1st party or 3rd party [Tracking Preference Expression (DNT)] (from sysbot+tracker@w3.org on 2012-10-20)

Related notes:

The effort by UAs to implement this feature seems prohibitive:
- All sites are required to implement "same-party"
- Browsers need to retrieve the well-known URI before sending request for all requests

Matthias Schunter, 11 Feb 2013, 22:33:43

It has already been established in prior discussion that it is impossible for a user agent to distinguish between a first party and a third party request. It would require understanding the reason a user chose to make an action, the extent and reasons why automated redirects are followed, and complete knowledge of DNS ownership for any subsequent embedded requests. This issue should be closed.

Roy Fielding, 13 Apr 2013, 08:09:47

ISSUE-182: protocol for user agents to indicate whether a request with

DNT set is 1st party or 3rd party

http://www.w3.org/2011/tracking-protection/track/issues/182

Resolution:

- This seems technically impossible

- As a consequence, I suggest to close

Matthias Schunter, 12 Jun 2013, 15:37:40

Display change log ATOM feed


Matthias Schunter <matthias.schunter@intel.com>, Chair, Bert Bos <bert@w3.org>, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: index.php,v 1.325 2014-09-10 21:42:02 ted Exp $