Re: ACTION-201 (ISSUE-112) from Nicholas Doty on 2012-07-27 (public-tracking@w3.org from July 2012)

From: Nicholas Doty <npdoty@w3.org>
Date: Thu, 26 Jul 2012 19:03:45 -0700
To: ifette@google.com
Cc: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
Message-Id: <BFFE3FD5-F922-4E4A-A642-873C9F58056F@w3.org>

On Jul 25, 2012, at 8:36 AM, Ian Fette (イアンフェッティ) wrote:

> "How are sub-domains handled for site-specific exceptions?" - from a browser standpoint, I don't wish to further propagate the notion of "registry controlled domains" which is an unfortunate reality that we currently have with cookies, where browsers try to keep a list of what is a "public suffix" (contains multiple unrelated entities beneath it, such as .com). We have ~6,800 entries in there so far (http://mxr.mozilla.org/mozilla-central/source/netwerk/dns/effective_tld_names.dat?raw=1) - this is only getting worse now that ICANN has, in a rather questionable move (personal opinion), decided to make the top-level domain namespace a wild west. 
> 
> So, I don't want to say "all subdomains" because we have no idea what that means.
> 
> Rather, I would prefer to say "A site can request a site-wide exception for its own origin and any other origins that it considers to also be in the same party, e.g. http://www.example.com could request a site-wide exception for http://www.example.com, https://www.example.com, https://example.com, https://mail.example.com, https://www.example.de, http://www.example.de"
> 
> Sadly, I fear this is going to become nightmarish as sites add and delete origins over time ("Hey, now we're http://search.google!" or "Hey, we just launched example.az" or "newproduct.example.com"). That said, I've got nothing better to offer... 

I certainly agree this could get nightmarish. What if we indicate that as a semantic matter, an exception is requested for the effective script origin (a la [0]) and then note that user agents might provide users with the option to automatically extend/persist such permissions on other affiliated origins? We could note the use of the "same-party" field in the tracking status resource (or, for that matter, OUR-HOST [1]) and if browsers implement this technique, that would provide an incentive for sites to document their party relationships.

It sounds like there's agreement that exception requests should not extend to sub-domains, given the uncertainty over what a sub-domain implies.

Thanks,
Nick

[0] http://lists.w3.org/Archives/Public/public-tracking/2012Jul/0104.html
[1] http://www.w3.org/P3P/2004/03-domain-relationships.html

Received on Friday, 27 July 2012 02:03:59 UTC