IRC log of dnt on 2017-08-21

Timestamps are in UTC.

15:59:34 [RRSAgent]
RRSAgent has joined #dnt
15:59:34 [RRSAgent]
logging to
15:59:49 [moneill2]
moneill2 has joined #dnt
16:00:25 [moneill2]
the webex link says the meeting is cancelled
16:00:59 [Bert]
16:01:01 [Bert]
16:01:37 [Bert]
16:02:02 [Bert]
Bert has changed the topic to:
16:02:04 [schunter_]
schunter_ has joined #dnt
16:02:31 [fielding]
fielding has joined #dnt
16:02:34 [Bert]
trackbot, start telcon
16:02:37 [trackbot]
RRSAgent, make logs world
16:02:37 [Zakim]
Zakim has joined #dnt
16:02:38 [trackbot]
Meeting: Tracking Protection Working Group Teleconference
16:02:38 [trackbot]
Date: 21 August 2017
16:02:59 [wileys]
wileys has joined #dnt
16:03:11 [dsinger]
present+ dsinger
16:03:28 [Bert]
16:03:29 [wileys]
Unable to connect just yet - need to recover account - one second (we switched to @oath domain last week so its causing havoc with these types of accounts)
16:03:36 [schunter_]
I tried the info at the link that Bert posted.
16:03:42 [moneill2]
present+ moneill2
16:03:44 [schunter_]
Webex says "meeting cancelled or ended".
16:04:25 [moneill2]
this one works:
16:04:31 [at]
at has joined #dnt
16:05:20 [schunter_]
Just managed to join by manually entering meeting ID and password.
16:05:24 [schunter_]
16:06:32 [Bert]
16:07:00 [fielding]
16:10:25 [Bert]
zakim, list participants
16:10:25 [Zakim]
As of this point the attendees have been dsinger, moneill2, Bert, fielding
16:10:33 [Bert]
present+ Alan, Matthias, Shane
16:10:38 [moneill2]
same-party you mean?
16:10:45 [dsinger]
I don’t recall ever linking the exception API to the well-known resource
16:11:42 [dsinger]
16:13:18 [moneill2]
16:14:01 [dsinger]
but that has the caller making the assertion of same-party in a way that can’t be audited/tracked/etc.
16:14:20 [dsinger]
16:15:11 [wileys]
16:15:39 [fielding]
is someone goint to scribe?
16:15:46 [fielding]
16:16:00 [schunter_]
Bert? could you?
16:16:05 [dsinger]
16:16:11 [Bert]
Scribenick: bert
16:16:22 [schunter_]
16:16:41 [dsinger]
I think that Mike is right, you have to open browsing contexts for those sites, and they can then register the exceptions
16:16:43 [Bert]
Topic: Shane's issue about multiple site exceptions in one API call
16:16:48 [fielding]
We are talking about
16:17:05 [schunter_]
ack mo
16:17:43 [Bert]
(Discussion about whether this was in an earlier version. It appears it was not. Discussion about whether a site is allowed to set exception for other domain at all.)
16:18:18 [schunter_]
ack wi
16:18:43 [Bert]
Shane: [...] get consent as user visits each domain, iframes.
16:19:05 [Bert]
schunter_: We don't want to break same-origin policy.
16:19:15 [Bert]
... I'd like to close this doscussion.
16:19:39 [wileys]
Next issue: Notification of exception registrations from 3rd parties to 1st parties
16:19:43 [Bert]
... I think we decided earleir we wouldn't allow such mutliple registrations.
16:19:47 [fielding]
do we have this on the issues list?
16:19:51 [Bert]
... Shane, OK?
16:19:59 [Bert]
Shane: For now, yes.
16:20:29 [Bert]
... It is harder. We'll come back in the future with more data.
16:20:56 [fielding]
yes, the section suggests that the browser save that information along with the exception data
16:21:10 [Bert]
... Some sort of freedom outside of same-origin, so yahoo,com and can share a policy.
16:21:34 [Bert]
schunter_: Can maybe add a new call later, keeping backwards compat.
16:22:06 [Bert]
shane: This is sort of counter to natural adoption curve in internet.
16:22:18 [Bert]
schunter_: Your second issue:
16:22:35 [moneill2]
16:22:49 [Bert]
shane: 3rd parties registering exceptions. Would like a way to discover that that has occured.
16:23:28 [Bert]
moneill2: Agree there should be a way to report, because the 3rd party can cause legal problem for 1st.
16:23:54 [Bert]
... I suggested we just have an indication from 1st party whether they allow it to happen.
16:24:16 [Bert]
... Some flag sayiung this 3rd party is allowed to register an exception.
16:24:51 [moneill2]
16:25:03 [Bert]
shane: Say displays adds in a news feed. We dont' want a 3rd party to register an exception at that point, in an iframe.
16:25:20 [Bert]
... We can't technically stop them, We would like to be informed.
16:25:36 [Bert]
dsinger: iframe is a top-level context?
16:26:10 [Bert]
moneill2: can have some flag that says *.domain can set an exception.
16:26:45 [fielding]
This would only be the case where a third party iframe contains javascript that is executed. It can call the API to store a site-specific exception. This is not changed at all by the recent edits, other than being exposed vecause there is less text objuscation.
16:26:46 [Bert]
dsinger: Site setting exception has to match browsing context.
16:27:05 [fielding]
16:27:30 [Bert]
fielding: There is no chnage here. This is what the API did before.
16:28:42 [Bert]
... Javascript can set any target it want. Relies on regulator checking that site follows rules.
16:28:52 [schunter_]
16:29:04 [Bert]
... A site would do better just ignoring DNT in that case.
16:29:28 [Bert]
dsinger: [missed]
16:30:07 [Bert]
Shane: Worst they can do is set a site-wide exception.
16:30:27 [Bert]
dsinger: Why would advertiser expect a user to visit them as a top level site?
16:30:43 [Bert]
shane: Cn't they do web-wide then?
16:31:35 [Bert]
shane: Imagine an industry approach. They would need an iframe approach.
16:32:19 [moneill2]
6.6.1 starting "For each of the targets in a web-wide exception"
16:32:21 [Bert]
... I like roy's argument that there are many ways to exploit the standard. But as it is traceable, they're better off not doing it throught DNT.
16:32:22 [dsinger]
Registering a site-wide for ‘myself’ (all you can do) when myself is an ad site seems useless; no-one visits ad sites. But registering a web-wide is a huge break; but they are asserting they have consent, and if they don’t, they have a glaring error (that;s noticeable)
16:32:30 [dsinger]
16:32:36 [Bert]
... So I'm good now. That closes the discussion for me.
16:33:02 [Bert]
moneill2: In the new conform call: Can't confirm a sub-somain, as you used to be able to.
16:33:41 [Bert]
fielding: Yes, that did chnage. Makes it easier to fingerprint the user.
16:34:03 [Bert]
... could ask for a user's exceptions on sites you don't own.
16:34:37 [Bert]
moneill2: In the confirm call, site param is now ignored.
16:34:49 [Bert]
dsinger: Doesn't same-origin apply?
16:35:45 [Bert]
s/Makes it easier/Made it too easy/
16:36:25 [Bert]
[Discussion about what the spec actually says.]
16:36:56 [Bert]
dsinger: Why doesn't the confirmn call exactly match the store call? Why did it change?
16:37:36 [Bert]
fielding: It allowed any party to make a query on any domain. I removed that. It now allows if a an exception exiosts on a specific site.
16:37:48 [fielding]
16:37:57 [Bert]
dsinger: Previosuly you coul donly ask about your own site.
16:38:27 [fielding]
"To avoid revealing too much information about other sites, any value for site is ignored and the calling script's site domain is used instead for matching with stored exceptions."
16:39:02 [Bert]
schunter_: So a site can only ask for confirmations affecting its own site.
16:39:59 [dsinger]
I agree that the old confirm call didn’t have text saying that CORS had to be respected. But I am not sure we have not introduced a different problem here.
16:40:00 [Bert]
moneill2: I think the only diff. is you can't do it on a subdomain. Why don't we allow that? You can set an exception on a sub-domain, whay can't you query it?
16:40:55 [Bert]
dsinger: Old text didn't say it explicitly that you have respects same-origin.
16:41:05 [schunter_]
Confirm call now only allows "site=null"
16:41:13 [schunter_]
(means site=origin)
16:41:23 [schunter_]
store also allows "*" for web-wide
16:41:32 [schunter_]
and cookie rules for sub-domains
16:41:46 [dsinger]
16:41:54 [schunter_]
ack mon
16:42:56 [fielding]
I don't care either way, except I am not available to rewrite.
16:43:50 [Bert]
moneill2: I agree with roy's addition to web-wide. But what in 6.6.3. "any value for site is ignored"
16:45:12 [Bert]
schunter_: site param allows null and *. You cannot confirm if a web-swide exception exists.
16:45:16 [fielding]
The old confirm API is at
16:45:25 [dsinger]
I think Mike is saying that the confirm call doesn’t match the store; the basic operation “do I still have this that I stored?” has to work
16:45:57 [fielding]
16:48:53 [schunter_]
cases: site="*"
16:49:06 [Bert]
schunter_: storeTrackingException can set an excpetion for a sub-domain. trackingExceptionExists cannot query that same sub-domain.
16:50:19 [schunter_]
16:50:56 [Bert]
fielding: My concern about the previous API, whcih is still in /TR, is that it allowed qdiscovering info about other domains.
16:50:56 [schunter_]
1. Say that it can only be called to query exceptions for the given origin
16:51:09 [dsinger]
Two basic principles: the same-origin restrictions on confirm and store should be the same; and you should be able to confirm exactly what you thought you stored
16:51:26 [dsinger]
i.e. ask the question: has my prior store been deleted or does it still stand?
16:51:52 [Bert]
schunter_: fingerprinting risk. A nasty company could set a user-specific cookie.
16:52:23 [Bert]
... But I'd then have to iterate through all user patterns.
16:52:27 [schunter_]
s/cookie/cookie-like pattern/
16:53:00 [Bert]
dsinger: web-wide excpetion now has targets, which it didn't have before.
16:53:18 [dsinger]
I regret to say that we need a repeated security+privacy+TAG review, given the number of changes
16:53:26 [Bert]
schunter_: That is for next week.
16:53:30 [fielding]
Reminder, the issues list is at
16:53:39 [dsinger]
I am not enough of an expert to be comfortable
16:53:48 [fielding]
We have no open issues on the draft, right now.
16:53:49 [schunter_]
2. Add "*" and cookie rules as site options (similar to store)
16:55:16 [schunter_]
1: Cross-origin restrictions must be documented for store and confirm
16:55:19 [Bert]
fielding: If there is something in the old API that I accidentally removed, let me know and I'll restore it.
16:55:38 [Bert]
schunter_: Who can write it?
16:55:39 [schunter_]
16:55:51 [Bert]
moneill2: I can write an edit and send to the list.
16:56:04 [Bert]
dsinger: We need a TAG review on this.
16:56:08 [schunter_]
1. Explain that confirm and store must respect same-origin
16:56:13 [dsinger]
…and a PING review
16:56:34 [fielding]
right, most of this work was just to get the API to the point where people might be willing to review.
16:56:40 [schunter_]
2. Copy options for "site" parameter "*" and "cookie-like pattern" from store to confirm
16:58:02 [fielding]
"For each of the targets in a web-wide exception, a user agent MUST NOT store the duplets and MUST reject the promise with a DOMException named "SecurityError" unless the target domain matches both the document.domain of the script's responsible document and the document.domain of the top-level browsing context's active document [HTML5]. This effectively limits the API for web-wide exceptions to the single target domain of the caller."
16:58:11 [Bert]
dsinger: We seemed to have added the possibility to set multiple targets in a web-wide exception. But most of all I want a security & privacy review of the new API.
16:59:08 [Bert]
schunter_: If we wait for review, we push off the CR again.
16:59:30 [Bert]
dsinger: Can probably have the review during CR. For Bert to check with plh and others.
17:00:33 [Bert]
moneill2: Not allowing DNT:1 by default may upset DPA in Europe. But leave well-enough alone.
17:01:22 [Bert]
fielding: I wrote a section why DNT:1 is not set by default. It is just information, but it is needed, because multiple parties have said it is OK to set DNT:1 by default.
17:01:50 [Bert]
... Not sure why that is. Is the spec not clear? Are people misleading legislators?
17:02:30 [Bert]
... Section 10.1 is not supposed to say anything different from 5.1
17:02:55 [Bert]
moneill2: "5.2"
17:03:11 [fielding]
actually, 5.1
17:04:08 [Bert]
RRSAgent, make minutes v2
17:04:08 [RRSAgent]
I have made the request to generate Bert
17:04:17 [fielding]
we were talking about
17:04:20 [Bert]
zakim, list participants
17:04:20 [Zakim]
As of this point the attendees have been dsinger, moneill2, Bert, fielding, Alan, Matthias, Shane
17:05:20 [Bert]
RRSAgent, make minutes v2
17:05:20 [RRSAgent]
I have made the request to generate Bert
17:05:37 [Bert]
chair: schunter_
17:06:49 [Bert]
17:07:07 [Bert]
17:08:24 [Bert]
i/3rd parties registering exceptions/topic: 3rd Parties Registering Exceptions on 1st Party Sites/
17:09:07 [Bert]
17:09:34 [Bert]
17:10:08 [Bert]
17:11:10 [Bert]
s/conform call/confirm call/
17:11:32 [Bert]
17:13:02 [Bert]
s/if a an exception exiosts on a specific site./if an exception exists on the specific site./
17:13:16 [Bert]
s/coul donly/could only/
17:13:58 [Bert]
s/whay /why /
17:14:22 [Bert]
s/have respects/have to respect/
17:15:00 [Bert]
17:15:30 [Bert]
17:15:42 [Bert]
17:15:56 [Bert]
s/qdiscovering /discovering /
17:16:20 [Bert]
17:17:49 [Bert]
s/We seemed to have added/We seem to have added/
17:18:42 [Bert]
RRSAgent, make minutes v2
17:18:42 [RRSAgent]
I have made the request to generate Bert
17:20:01 [Bert]
previous meeting:
17:20:04 [Bert]
RRSAgent, make minutes v2
17:20:04 [RRSAgent]
I have made the request to generate Bert
17:47:14 [at_]
at_ has joined #dnt