I have been thinking about the link shortener issue and the wider one of linking via redirection. I think this is increasingly used as a tracking technique and should be ruled out for DNT:1 users in the spec. Safari (and eventually other UAs) by default implement third-party cookie blocking, but this does not stop cookies placed via a redirection to a first-party link. To get round these default blocks, a tracker could supply a JavaScript library, or an external link to it. On page load this would automatically scan all the links on a page and edit the href Uris to point to the tracker’s domain inserting an extra query parameter to enable a return to the ostensibly visited site via a 30x redirect. When a user clicks on an in-page link they are taken indirectly via the trackers site, without being aware of it. Any cookies placed by the tracker would be seen by the UA as first party and would not be blocked. This technique could even be used to track users who set up their UA to completely block cookies, by inserting a UID into the redirected Url and using a permanent 301 redirect so the amended Url gets cached. I wonder if a slight change to the definition of first-party would clarify that DNT is meant to cover this, avoid UAs having to finesse blocking of cookies on 30x status code response, and also avoid mentioning link shorteners explicitly. Definitions (in TPE): With respect to a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content, or being redirected via a party of which the user is unaware, does not constitute a user's intent to interact with another party.
Received on Friday, 11 July 2014 19:05:25 UTC