Re: Approach to ISSUE-167: Multiple site exception from Matthias Schunter (Intel Corporation) on 2013-03-18 (public-tracking@w3.org from March 2013)

From: Matthias Schunter (Intel Corporation) <mts-std@schunter.org>
Date: Mon, 18 Mar 2013 17:49:51 +0100
To: Shane Wiley <wileys@yahoo-inc.com>, "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-ID: <514745AF.8090609@schunter.org>

Hi Shane,

thanks a lot  for the feedback. Maybe I misinterpreted the minutes 
(which I read as "let's gather implementation experience first" after 
final call).

Note that as discussed at the F2F, backward compatibility is important 
since we had to choose between user agents starting to implement the 
current API (broader support) and having full flexibility of later 
modifying the API in new (non-compatible) ways. One approach we 
discussed was to later add a function "StoreMultiSiteException" while 
leaving existing functions unchanged.

btw: What was your proposal to avoid fraud (i.e., that I ask for an 
exception for a site that I do not own)? Do I remember correctly that 
you only allow this iff the same-party fields are consistent (i.e.,, 
site1 includes site2 and site2 includes site1)?

Regards,
matthias

On 18/03/2013 17:10, Shane Wiley wrote:
> Matthias,
>
> I disagree and believe we can cover the multi-1st party (co-controller) use case with very little modification.  As this is critical to many of the larger companies within the working group, I would recommend we keep this on the table for discussion.
>
> - Shane
>
> -----Original Message-----
> From: Matthias Schunter (Intel Corporation) [mailto:mts-std@schunter.org]
> Sent: Monday, March 18, 2013 8:37 AM
> To: Shane Wiley; Mike O'Neill
> Cc: public-tracking@w3.org (public-tracking@w3.org)
> Subject: Approach to ISSUE-167: Multiple site exception
>
> ISSUE-167: Multiple site exceptions
> http://www.w3.org/2011/tracking-protection/track/issues/167
>
>
> Hi Team (and in particular Shane and Mike),
>
>
> I have re-read the minutes and it seems to be that the right approach forward to ISSUE-167 (albeit not perfect) is to leave the API as it is for final call and then understand the implementation experiences.
>
> We can then design a backward compatible way to add MultiSiteExceptions later.
> One challenge to overcome is that we need to ensure that the envisioned method is secure, i.e., that one can only ask for exceptions for sites that one owns/controls.
>
> Formally, I suggest to document this and mark ISSUE-167 as POSTPONED.
> Are you OK with this way forward?
>
>
> Regards,
> matthias
>
>

Received on Monday, 18 March 2013 16:50:17 UTC