RE: action-334, issue-112, a summary on sub-domains for exceptions from Mike O'Neill on 2013-01-12 (public-tracking@w3.org from January 2013)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sat, 12 Jan 2013 18:27:47 -0000
To: "'David Singer'" <singer@apple.com>, "'Roy T. Fielding'" <fielding@gbiv.com>, <wileys@yahoo-inc.com>
Cc: "'Tracking Protection Working Group'" <public-tracking@w3.org>
Message-ID: <02a001cdf0f2$873c72d0$95b55870$@baycloud.com>

The user-agent wouldn't have to check every time (for mutual referencing
same-party array entries) , just the first-time the same-party site is
visited. For example webmail.com has a same-party array containing
["att.webmail.net",bt.webmail.co.uk","*.webmail.org",---] and executes the
exception API. The user-agent stores exception status for all *.webmail.com,
as well as att.webmail.net,  bt.webmail.co.uk and all *.webmail.org but sets
a "check_same_party" flag for all domain origins other than those that match
*.webmail.com

The first time it visits, say, att.webmail.net ( or any *.webmail.org) if it
finds an exception and "check_same_party" is true it checks that its
same_party array contains an entry that matches *.webmail.com. If it does it
clears the flag and sets DNT:0, otherwise  it removes the exception.

The extra round trip (to the TR) would be negligible.

Also I think we should have another name for joint-controllers so we don't
cause confusion. Maybe joint_party or something similar.

Cheers

Mike

-----Original Message-----
From: David Singer [mailto:singer@apple.com] 
Sent: 12 January 2013 00:19
To: Roy T. Fielding
Cc: Tracking Protection Working Group
Subject: Re: action-334, issue-112, a summary on sub-domains for exceptions

On Jan 11, 2013, at 15:05 , "Roy T. Fielding" <fielding@gbiv.com> wrote:

> On Jan 11, 2013, at 10:00 AM, David Singer wrote:
>> On Jan 10, 2013, at 17:09 , Shane Wiley <wileys@yahoo-inc.com> wrote:
>> 
>>> David,
>>> 
>>> You hit my core concern with "preferably by using a shared list" as it
appeared the way Mike had described the interaction that the "shared list"
would be bound by same origin requirements and this would require a list per
domain variation.  As long as we're okay that the domain flagging "include
these related domains" not require a same origin for storage of said list,
then we should be okay.  I believe it would be a requirement that the domain
pointing at the shared list exist in the list themselves as a sanity check
is appropriate.  Agreed?
>> 
>> I think we are converging.  What I was saying was that it's easiest 
>> if the 'same-party' pointer at the various sites actually is the same 
>> URL, and includes all those sites.  So then it's clear that
>> 
>> fooey.com -> http://www.example.com/resources/same-party.txt
>> example.com -> http://www.example.com/resources/same-party.txt
>> and that file contains
>> example.com
>> fooey.com
>> 
>> Then it's clear that fooey.com and example.com are indeed part of the
same party.  We need to avoid someone saying "I'm part of Yahoo!" when
Yahoo! does not agree, or at least have that case detectable and flaggable.
> 
> The current same-party definition is for an array of domains inside 
> the first party's TSR.  We could change that to a link (pointer), but 
> that means managing yet another resource on the first party site and 
> needing yet another request to get that information.  Right now, the 
> API (as I understand it) doesn't require any additional network 
> requests to work because the javascript already knows what domains for 
> which it needs an exception.
> 
> Someone else does not say they are part of Yahoo!  Yahoo's site says 
> the following domains are part of me, and if the UA wants to verify 
> that they can simply look at Yahoo's site tracking status resource.
> 
> In short, I see no value to this new design and plenty of extra cost.

OK, it was an attempt at a minor optimization.  

As it is, which is OK, if you want to confirm, you visit site fooey.com, and
fetch its same-party resource.  It says "yahoo.com, barree.com, yahoo.com".
You wonder if this is all true, and you visit those other two sites to get
their same-party resources, and they contain fooey.com.  It's a little more
complex than comparing "are they the same pointer?" or "are they the same
strings?" (because they may have the site names in a different order, or
yahoo may claim more same-party sites than the subsidiary sites need to
mention), but it's do-able.

> 
> ....Roy
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Saturday, 12 January 2013 18:28:27 UTC