ACTION-314: Draft non-normative examples of how a multi-domain site technically can ask for exceptions

Shane,

 

The existing API says that the API is relative to the top-level origin (and
the target(s), if any) and this is still the assumption in Adrian's new API.
Are you saying this should be changed to refer to any document origin? I
read the reference to the document-origin in the grants database as
short-hand for the top-level document origin, if this was not meant then a
better explanation needs to be given in 6.3.

 

Mike

 

 

From: Shane Wiley [mailto:wileys@yahoo-inc.com] 
Sent: 05 November 2012 17:00
To: Mike O'Neill; public-tracking@w3.org
Subject: RE: ACTION-314: Draft non-normative examples of how a multi-domain
site technically can ask for exceptions

 

Mike,

 

We've vetted this approach with the Working Group in DC and still feel it's
the appropriate path.  The goal is to build a standard for good actors, not
hijack the focus for bad actors that would not implement DNT in the first
place (or develop a "silent exception" process due to its audit trail).

 

- Shane

 

From: Mike O'Neill [mailto:michael.oneill@baycloud.com] 
Sent: Monday, November 05, 2012 9:55 AM
To: public-tracking@w3.org
Subject: Re: ACTION-314: Draft non-normative examples of how a multi-domain
site technically can ask for exceptions

 

Shane,

 

I don't think that will work, because the document origin of the iframes
will be different to the top level document origin of the page. i.e. if an
iframe embedded in site xyz.com has src=companyxyz.com/resource then JS in
the resource (executed in a third-party context) will not be able to set an
exception for xyz.com. This is as it should be because otherwise it would be
too easy for third-party script to silently create exceptions without the
user being aware 

 

Script in the window (with doc origin ) companyxyz.com could set up a target
exception for xyz.com and vice versa though.

 

 

Mike