<schunter> 1. Constrain UGE to script origin

<schunter> Consensus: Allow sub-resources to register site-specific and web-wide

<schunter> + Constrain store (and confirm) to script origin

<dsinger> (It used to be that you could confirm that the exact Store you did, or a subset thereof, still exists.)

fielding: The confirm API that was there was confirming that a specific list of site-specific list was stored. I changed it to ask if one exist for one specific.

moneill2: You removed "site", didn't you? So can't check sub-domain. cookie-sub-domain.

fielding: Different thing. Dave talked about checking a different set than was previously stored.
... motiviation was to make it easier for scripts.
... Can request for one site instead of another site.
... But I wasn't there when the original was designed.
... OK to chnage back. Except I want to keep the new, nicer names.

schunter: The names are not important to anybody, I think.

<dsinger> I do care about security/privacy/fingerprinting/cross-origin etc.

schunter: So what is the current consensus, roy?

<dsinger> no

<dsinger> not yet

fielding: Do we have consensus on the e-mail?

schunter: That was my understanding.

<schunter> - Subresources can ask for web-wide and site-specific

<schunter> - Only for their script origin

<schunter> - Confirm can confirm exactly what has been stored

schunter: [see ^^]

moneill2: And the thing that Dave asked about?
... If you set site-specific without targets, that is the same as web-wide.
... So if a facebook.com iframe makes a consent, that would only apply when you actually visit facebook.com

<dsinger> right, it’s all about duplets of the top-level browsing context, and the target [top-level, target]. what is stored, and what is matched?

fielding: I changed the parameter names, to distinguish site and web wide.
... The site you are on determines the site in the tuple.

<dsinger> right, facebook got a site-specific [facebook, *]. now you’re on another site, say IBM, so we’re seeing if [IBM, facebook] matches, and it does not

fielding: If you look at the API to see what tuple is stored.

dsinger: If FB stores a site-spec exception: (FB,*). And IBM asks if there is a (IBM,FB) it receives none.

<fielding> BTW, the Xbox web browser sets DNT:1 by default

moneill2: Some of the "site domain" in the spec should be "script origin" I think.

schunter: I'd like to have that final text by Wednesday

<dsinger> I am still analyzing

schunter: Then decide on Monday and send it off.
... Any other comments or feedback?

<Zakim> dsinger, you wanted to ask about web-wide

<dsinger> as I understand it, we used to be able to store [*, top-level] for web-wide, now we can store [*, target] for all targets in the array, as long as they are same-origin related to the calling top-level, right?

dsinger: [Sound dropped]
... [See ^^]

fielding: yes, that is the current text.

<dsinger> thx, roughly right

fielding: But it has to be a target that the effective script origin can set a cookie on.

dsinger: Trying to think of a problem, but can't think of any at the mment. Making sure I understood...

schunter: So schedule is new text by Wednesday and send off on Monday, unless new problems.

fielding: Monday is big holiday in US.

<wileys> Agreed - no call next week please

dsinger: Should do a formal call. Don't take silence as consent.

<aleecia> I’m not sure I’m consenting so much as giving up :-)

<dsinger> I think you should do a formal Call for Consensus, and ask for people to reply

dsinger: Can do by e-mail, doesn't need a telcon.

shane: Set a defined period, but still allow people to not respond.

dsinger: But I want a reasonable number of people to say yes.

<aleecia> It’s more that whatever I say gets ignored so why bother. This is not lack of caring. It’s lack of expecting anything I say matters.

shane: But cannot let some people hold the WG hostage.

<wileys> Aleecia - I don’t ignore you. :-)

<aleecia> heh!

schunter: Two, three people should agree, at least.
... I'll check when we need the next telcon.

dsinger: When will we have the text?

fielding: Tomorrow night.

schunter: No call next week.

<aleecia> toodles

<fielding> trackbot, end meeting