- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Sun, 23 Sep 2012 11:31:09 -0700
- To: Matthias Schunter <mts-std@schunter.org>
- Cc: "public-tracking@w3.org" <public-tracking@w3.org>
On Sep 22, 2012, at 11:13 AM, Matthias Schunter wrote: > Hi Team, > > triggered by last weeks call, I created ISSUE-146 that allows us to > discuss to what extent the "same-party" attribute should be optional. > > During the call, we discussed three options so far: > > (A) Current draft: Resource is optional I think you mean: The same-party member is optional. User agents can still be deployed that test for same-party and complain when none is found, possibly resulting in incentive for first party sites to supply it, but there is no interoperability requirement. > (B) Alternative proposal 1: If multiple domains on a page belong to the > same party, then this fact SHOULD be declared using the same-party attribute > > (C) Alternative proposal 2: State that user agents MAY assume that > additional elements that are hosted under a different URL and occur on a > page and declare "intended for 1st party use" are malicious unless this > URL is listed in the "same-party" attribute I only recall discussing (A) and (B). (C) is not a valid statement because it has nothing to do with interoperability -- user agents are free to assume anything they want based on the input they get, including equally bogus assumptions like the moon is made of cheese. It certainly doesn't deserve mentioning in a spec. ....Roy
Received on Sunday, 23 September 2012 18:31:32 UTC