RE: ACTION-314: Draft non-normative examples of how a multi-domain site technically can ask for exceptions from Shane Wiley on 2012-11-05 (public-tracking@w3.org from November 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Mon, 5 Nov 2012 09:00:29 -0800
To: "Mike O'Neill" <michael.oneill@baycloud.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <63294A1959410048A33AEE161379C8027484B81484@SP2-EX07VS02.ds.corp.yahoo.com>

Mike,

We've vetted this approach with the Working Group in DC and still feel it's the appropriate path.  The goal is to build a standard for good actors, not hijack the focus for bad actors that would not implement DNT in the first place (or develop a "silent exception" process due to its audit trail).

- Shane

From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
Sent: Monday, November 05, 2012 9:55 AM
To: public-tracking@w3.org
Subject: Re: ACTION-314: Draft non-normative examples of how a multi-domain site technically can ask for exceptions

Shane,

I don't think that will work, because the document origin of the iframes will be different to the top level document origin of the page. i.e. if an iframe embedded in site xyz.com has src=companyxyz.com/resource then JS in the resource (executed in a third-party context) will not be able to set an exception for xyz.com. This is as it should be because otherwise it would be too easy for third-party script to silently create exceptions without the user being aware

Script in the window (with doc origin ) companyxyz.com could set up a target exception for xyz.com and vice versa though.

Mike

Received on Monday, 5 November 2012 17:01:14 UTC