RE: action-334, issue-112, a summary on sub-domains for exceptions from Mike O'Neill on 2012-11-28 (public-tracking@w3.org from November 2012)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 28 Nov 2012 23:13:58 -0000
To: "'Shane Wiley'" <wileys@yahoo-inc.com>, "Nicholas Doty" <npdoty@w3.org>
Cc: <public-tracking@w3.org>
Message-ID: <021d01cdcdbe$0c746f50$255d4df0$@baycloud.com>

Hi Shane,

 

I don't think the server side work is too onerous. If we represented the
TrackingResource in webIDL:

 

 

interface TrackingResourceDescriptor {

    attribute sequence<DOMString>? same-party;

    attribute sequence<DOMString>? third-party;

    attribute sequence<DOMString>? audit;

    attribute DOMString? policy;

    attribute DOMString? control;

};

 

Even if we did not have a tracking resource, or we did not want to mess with
the one we had, it could be done client-side (say on yahoo.com) with script
like this:

 

<script type="text/JavaScript">

var tdr = new TrackingResourceDescriptor();

tdr.same-party =
["yahoo.co.uk","yahoo-inc.com","completely.different.domain.com",...];

setUGE( ["tp1.com","tp2.net"], tdr);

</script>

 

i.e. the UGE gets set for yahoo.com, yahoo.co.uk, yahoo-inc.com etc. by
setting up the other domain names in a same-party array then passing it in
using a new optional parameter to the API.

 

 

Mike

 

 

From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
Sent: 28 November 2012 22:20
To: Mike O'Neill
Cc: public-tracking@w3.org; Nicholas Doty
Subject: RE: action-334, issue-112, a summary on sub-domains for exceptions

 

Mike,

 

I believe going this route still requires an over abundance of work on the
Server side - all in the attempt to stop bad actors who would not likely
submit a traceable exception for domains they don't own (already a violation
of the draft standard to do this as they are not "affiliated").  So would
again ask for making this easier for those that want to implement the
standard and not create arbitrary walls or huddles in the failed attempt to
thwart bad actors.

 

- Shane

 

From: Mike O'Neill [mailto:michael.oneill@baycloud.com] 
Sent: Wednesday, November 28, 2012 2:13 PM
To: Shane Wiley
Cc: public-tracking@w3.org; Nicholas Doty
Subject: RE: action-334, issue-112, a summary on sub-domains for exceptions

 

Hi Shane,

 

Allowing wildcards in the TLD suffix is not a good idea. There are many
domains where sites run by completely different entities only differ by the
TLD. Only subdomains can be guaranteed to be operated by entities who are
the main domain owner,  or have a contractual relationship with them. 

 

A list of domains in the tracking resource, like same-party (or another name
if we don't want to overload the meaning),  could handle this use case, and
could apply to any domain (like yahoo-inc.com). It could also work for
web-wide exceptions.

 

If we wanted to handle cases where there was no tracking resource URI, or
where the same-party list needed to be dynamically calculated, we could have
a new optional parameter to the API that references an object with
attributes mirroring the relevant elements in the tracking resource. 

 

 

Mike

Received on Wednesday, 28 November 2012 23:15:04 UTC