tpe_CR_2015.txt | tpe_ED_20170321.txt | |||
---|---|---|---|---|
Link: canonical | ||||
W3C | W3C | |||
Tracking Preference Expression (DNT) | Tracking Preference Expression (DNT) | |||
W3C Candidate Recommendation 20 August 2015 | W3C Editor's Draft 21 March 2017 | |||
This version: | This version: | |||
http://www.w3.org/TR/2015/CR-tracking-dnt-20150820/ | https://w3c.github.io/dnt/drafts/tracking-dnt.html | |||
Latest published version: | Latest published version: | |||
http://www.w3.org/TR/tracking-dnt/ | https://www.w3.org/TR/tracking-dnt/ | |||
Latest editor's draft: | Latest editor's draft: | |||
http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html | https://w3c.github.io/dnt/drafts/tracking-dnt.html | |||
Implementation report: | ||||
http://www.w3.org/2011/tracking-protection/track/products/7 | ||||
Previous version: | Previous editor's draft: | |||
http://www.w3.org/TR/2014/WD-tracking-dnt-20140424/ | https://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html | |||
Editors: | Editors: | |||
Roy T. Fielding, Adobe | Roy T. Fielding, Adobe | |||
David Singer, Apple | David Singer, Apple | |||
Copyright © 2015 W3C^® (MIT, ERCIM, Keio, Beihang). W3C liability, | Copyright © 2017 W3C^® (MIT, ERCIM, Keio, Beihang). W3C liability, | |||
trademark and document use rules apply. | trademark and document use rules apply. | |||
---------------------------------------------------------------------- | ---------------------------------------------------------------------- | |||
Abstract | Abstract | |||
This specification defines the DNT request header field as an HTTP | This specification defines the DNT request header field as an HTTP | |||
mechanism for expressing the user's preference regarding tracking, an HTML | mechanism for expressing the user's preference regarding tracking, an HTML | |||
DOM property to make that expression readable by scripts, and APIs that | DOM property to make that expression readable by scripts, and APIs that | |||
allow scripts to register site-specific exceptions granted by the user. It | allow scripts to register site-specific exceptions granted by the user. It | |||
also defines mechanisms for sites to communicate whether and how they | also defines mechanisms for sites to communicate whether and how they | |||
honor a received preference through use of the Tk response header field | honor a received preference through use of the Tk response header field | |||
and well-known resources that provide a machine-readable tracking status. | and well-known resources that provide a machine-readable tracking status. | |||
Status of This Document | Status of This Document | |||
This section describes the status of this document at the time of its | This section describes the status of this document at the time of its | |||
publication. Other documents may supersede this document. A list of | publication. Other documents may supersede this document. A list of | |||
current W3C publications and the latest revision of this technical report | current W3C publications and the latest revision of this technical report | |||
can be found in the W3C technical reports index at http://www.w3.org/TR/. | can be found in the W3C technical reports index at https://www.w3.org/TR/. | |||
This document was published by the Tracking Protection Working Group as a | ||||
Candidate Recommendation on 20 August 2015. This document is intended to | ||||
become a W3C Recommendation. If you wish to make comments regarding this | ||||
document, please send them to public-tracking-comments@w3.org (subscribe, | ||||
archives). W3C publishes a Candidate Recommendation to indicate that the | ||||
document is believed to be stable and to encourage implementation by the | ||||
developer community. This Candidate Recommendation is expected to advance | ||||
to Proposed Recommendation no earlier than 20 November 2015. The Working | ||||
Group expects to have sufficient implementation experience by 20 February | ||||
2016. All comments are welcome. | ||||
Readers may review changes from the Last Call Working Draft; changes | This document is an editors' straw man reflecting a snapshot of live | |||
include: moving JavaScript property to navigator; addition of a tracking | discussions within the Tracking Protection Working Group. It does not yet | |||
status value for gateways; clarifications of terminology; and updated | capture all of our work and does not constitute working group consensus. | |||
references. An issue tracking system is available for recording raised, | Text in option boxes (highlighted with light blue background color) | |||
open, pending review, closed, and postponed issues regarding this | present options that the group is currently considering, particularly | |||
document. There is also a list of issues reported and addressed during the | where consensus is known to be lacking, and should be read as a set of | |||
Last Call period. | proposals rather than as limitations on the potential outcome. An issue | |||
tracking system is available for recording raised, open, pending review, | ||||
closed, and postponed issues regarding this document. | ||||
The following feature is at risk and might be cut from the specification | The following feature is at risk and might be cut from the specification | |||
during the CR period if there are no (correct) implementations: | during the CR period if there are no (correct) implementations: | |||
* DNT-extension | * DNT-extension | |||
Please see the Working Group's implementation report. | This document was published by the Tracking Protection Working Group as an | |||
Editor's Draft. If you wish to make comments regarding this document, | ||||
please send them to public-tracking@w3.org (subscribe, archives). All | ||||
comments are welcome. | ||||
Publication as a Candidate Recommendation does not imply endorsement by | Publication as an Editor's Draft does not imply endorsement by the W3C | |||
the W3C Membership. This is a draft document and may be updated, replaced | Membership. This is a draft document and may be updated, replaced or | |||
or obsoleted by other documents at any time. It is inappropriate to cite | obsoleted by other documents at any time. It is inappropriate to cite this | |||
this document as other than work in progress. | document as other than work in progress. | |||
This document was produced by a group operating under the 5 February 2004 | This document was produced by a group operating under the 5 February 2004 | |||
W3C Patent Policy. W3C maintains a public list of any patent disclosures | W3C Patent Policy. W3C maintains a public list of any patent disclosures | |||
made in connection with the deliverables of the group; that page also | made in connection with the deliverables of the group; that page also | |||
includes instructions for disclosing a patent. An individual who has | includes instructions for disclosing a patent. An individual who has | |||
actual knowledge of a patent which the individual believes contains | actual knowledge of a patent which the individual believes contains | |||
Essential Claim(s) must disclose the information in accordance with | Essential Claim(s) must disclose the information in accordance with | |||
section 6 of the W3C Patent Policy. | section 6 of the W3C Patent Policy. | |||
This document is governed by the 14 October 2005 W3C Process Document. | This document is governed by the 1 March 2017 W3C Process Document. | |||
Table of Contents | Table of Contents | |||
* 1. Introduction | * 1. Introduction | |||
* 2. Terminology | * 2. Terminology | |||
* 2.1 HTTP | * 2.1 HTTP | |||
* 2.2 Activity | * 2.2 Activity | |||
* 2.3 Participants | * 2.3 Participants | |||
* 2.4 Data | * 2.4 Data | |||
* 2.5 Preferences | * 2.5 Preferences | |||
skipping to change at line 165 | skipping to change at line 158 | |||
* 7.4.3 API to Confirm a Site-specific Exception | * 7.4.3 API to Confirm a Site-specific Exception | |||
* 7.5 Web-wide Exceptions | * 7.5 Web-wide Exceptions | |||
* 7.5.1 API to Request a Web-wide Exception | * 7.5.1 API to Request a Web-wide Exception | |||
* 7.5.2 API to Cancel a Web-wide Exception | * 7.5.2 API to Cancel a Web-wide Exception | |||
* 7.5.3 API to Confirm a Web-wide Exception | * 7.5.3 API to Confirm a Web-wide Exception | |||
* 7.6 User Interface Guidelines | * 7.6 User Interface Guidelines | |||
* 7.7 Exceptions without Interactive JavaScript | * 7.7 Exceptions without Interactive JavaScript | |||
* 7.8 Exceptions without an Expressed Preference | * 7.8 Exceptions without an Expressed Preference | |||
* 7.9 Exception Use by Sites | * 7.9 Exception Use by Sites | |||
* 7.10 Fingerprinting | * 7.10 Fingerprinting | |||
* 8. Security Considerations | ||||
* 9. Privacy Considerations | ||||
* A. Acknowledgements | * A. Acknowledgements | |||
* B. Registrations | * B. Registrations | |||
* C. References | * C. References | |||
* C.1 Normative references | * C.1 Normative references | |||
* C.2 Informative references | * C.2 Informative references | |||
1. Introduction | 1. Introduction | |||
The World Wide Web consists of billions of resources interconnected | The World Wide Web consists of billions of resources interconnected | |||
through the use of hypertext. Hypertext provides a simple, page-oriented | through the use of hypertext. Hypertext provides a simple, page-oriented | |||
skipping to change at line 531 | skipping to change at line 526 | |||
Note | Note | |||
The DNT-extension feature is considered at-risk. Since no extensions have | The DNT-extension feature is considered at-risk. Since no extensions have | |||
been defined, implementors that don't read specifications are likely to | been defined, implementors that don't read specifications are likely to | |||
assume that DNT only has the fixed values of "0" or "1". Furthermore, the | assume that DNT only has the fixed values of "0" or "1". Furthermore, the | |||
potential benefits of this mechanism are unclear given that extension | potential benefits of this mechanism are unclear given that extension | |||
information could be supplied using separate request header fields. | information could be supplied using separate request header fields. | |||
5.3 JavaScript Property to Detect Preference | 5.3 JavaScript Property to Detect Preference | |||
The doNotTrack property enables a client-side script with read access to | The Navigator.doNotTrack property enables a client-side script with read | |||
the Navigator object to determine what DNT header field value would be | access to the Navigator object [HTML5] to determine what DNT header field | |||
sent in requests to the document-origin, taking into account the user's | value would be sent in requests to the document-origin, taking into | |||
general preference (if any) and any user-granted exceptions applicable to | account the user's general preference (if any) and the current | |||
that origin server. | user-granted exceptions applicable to that origin server. | |||
partial interface Navigator { | partial interface Navigator { | |||
readonly attribute DOMString? doNotTrack; | readonly attribute DOMString? doNotTrack; | |||
}; | }; | |||
doNotTrack of type DOMString, readonly , nullable | The value of Navigator.doNotTrack is the string value that would be sent | |||
Returns the same string value that would be sent in a | in a DNT-field-value (section 5.2 DNT Header Field for HTTP Requests) to a | |||
DNT-field-value (section 5.2 DNT Header Field for HTTP Requests) | target that is the document-origin of the window, in the browser context | |||
to a target that is the document-origin of the window, in the | of the current top-level origin. The value is null if no DNT header field | |||
browser context of the current top-level origin. The value is null | would be sent (e.g., because a tracking preference is not enabled); | |||
if no DNT header field would be sent (e.g., because a tracking | otherwise, the value is a string beginning with "0" or "1", possibly | |||
preference is not enabled); otherwise, the value is a string | followed by DNT-extension characters. | |||
beginning with "0" or "1", possibly followed by DNT-extension | ||||
characters. | ||||
5.4 Tracking Preference Expressed in Other Protocols | 5.4 Tracking Preference Expressed in Other Protocols | |||
A user's tracking preference is intended to apply in general, regardless | A user's tracking preference is intended to apply in general, regardless | |||
of the protocols being used for Internet communication. However, it is | of the protocols being used for Internet communication. However, it is | |||
beyond the scope of this specification to define how a user's tracking | beyond the scope of this specification to define how a user's tracking | |||
preference might be communicated via protocols other than HTTP. | preference might be communicated via protocols other than HTTP. | |||
6. Communicating a Tracking Status | 6. Communicating a Tracking Status | |||
skipping to change at line 1350 | skipping to change at line 1343 | |||
of domain names. | of domain names. | |||
Conversely, if a wild-card is used, the user might be told that there is a | Conversely, if a wild-card is used, the user might be told that there is a | |||
stored exception for all third-parties that are embedded by the indicated | stored exception for all third-parties that are embedded by the indicated | |||
top-level origin. | top-level origin. | |||
7.4 Site-specific Exceptions | 7.4 Site-specific Exceptions | |||
7.4.1 API to Request a Site-specific Exception | 7.4.1 API to Request a Site-specific Exception | |||
Navigator.storeSiteSpecificTrackingException is called by a page to store | ||||
a site-specific tracking exception. A StoreExceptionPropertyBag dictionary | ||||
contains the information to be stored for that exception. | ||||
partial interface Navigator { | partial interface Navigator { | |||
void storeSiteSpecificTrackingException (StoreSiteSpecificExceptionProperty | Promise<void> storeSiteSpecificTrackingException(StoreExceptionPropertyBag | |||
Bag properties); | properties); | |||
}; | }; | |||
storeSiteSpecificTrackingException | ||||
Called by a page to store a site-specific tracking exception. | ||||
Parameter Type Nullable Optional Description | ||||
properties StoreSiteSpecificExceptionPropertyBag ✘ ✘ | ||||
Return type: void | ||||
dictionary StoreExceptionPropertyBag { | dictionary StoreExceptionPropertyBag { | |||
DOMString? domain; | DOMString? domain; | |||
DOMString? siteName; | DOMString? siteName; | |||
DOMString? explanationString; | DOMString? explanationString; | |||
DOMString? detailURI; | DOMString? detailURI; | |||
DOMString? expires; | DOMString? expires; | |||
long? maxAge; | long? maxAge; | |||
sequence<DOMString> arrayOfDomainStrings; | ||||
}; | }; | |||
detailURI of type DOMString, nullable | Navigator.storeSiteSpecificTrackingException passes a | |||
A location at which further information about this request can be | StoreExceptionPropertyBag that can contain the following properties: | |||
found. | ||||
domain of type DOMString, nullable | domain | |||
a cookie-domain as defined in [RFC6265], to which the exception | a cookie-domain as defined in [RFC6265], to which the exception | |||
applies. | applies. | |||
expires of type DOMString, nullable | siteName | |||
A user-readable string for the name of the top-level origin. | ||||
explanationString | ||||
A short explanation of the request. | ||||
detailURI | ||||
A location at which further information about this request can be | ||||
found. | ||||
expires | ||||
A date and time, encoded as described for the cookie Expires | A date and time, encoded as described for the cookie Expires | |||
attribute described in [RFC6265], indicating the maximum lifetime | attribute described in [RFC6265], indicating the maximum lifetime | |||
of the remembered grant. | of the remembered grant. | |||
explanationString of type DOMString, nullable | maxAge | |||
A short explanation of the request. | ||||
maxAge of type long, nullable | ||||
A positive number of seconds indicating the maximum lifetime of | A positive number of seconds indicating the maximum lifetime of | |||
the remembered grant. | the remembered grant. | |||
siteName of type DOMString, nullable | arrayOfDomainStrings | |||
A user-readable string for the name of the top-level origin. | ||||
dictionary StoreSiteSpecificExceptionPropertyBag : StoreExceptionPropertyBag { | ||||
sequence<DOMString> arrayOfDomainStrings; | ||||
}; | ||||
arrayOfDomainStrings of type sequence<DOMString>, | ||||
A JavaScript array of strings. | A JavaScript array of strings. | |||
The storeSiteSpecificTrackingException method takes a dictionary argument | ||||
of type StoreSiteSpecificExceptionPropertyBag that allows optional | ||||
information to be provided. | ||||
If the request does not include the arrayOfDomainStrings, then this | If the request does not include the arrayOfDomainStrings, then this | |||
request is for a site-wide exception. Otherwise each string in | request is for a site-wide exception. Otherwise each string in | |||
arrayOfDomainStrings specifies a target. When called, | arrayOfDomainStrings specifies a target. When called, | |||
storeSiteSpecificTrackingException MUST return immediately. | storeSiteSpecificTrackingException MUST return immediately with a Promise | |||
resolving to a void, or rejected with a DOMException SYNTAX_ERR. | ||||
If the list arrayOfDomainStrings is supplied, the user agent MAY choose to | If the list arrayOfDomainStrings is supplied, the user agent MAY choose to | |||
store a site-wide exception. If it does so it MUST indicate this in the | store a site-wide exception. If it does so it MUST indicate this in the | |||
return value. | return value. | |||
If domain is not specified or is null or empty then the execution of this | If domain is not specified or is null or empty then the execution of this | |||
API and the use of the resulting permission (if granted) use the | API and the use of the resulting permission (if granted) use the | |||
'implicit' parameter, when the API is called, the document origin. This | 'implicit' parameter, when the API is called, the document origin. This | |||
forms the first part of the duplet in the logical model, and hence in | forms the first part of the duplet in the logical model, and hence in | |||
operation will be compared with the top-level origin. | operation will be compared with the top-level origin. | |||
skipping to change at line 1445 | skipping to change at line 1432 | |||
domain argument can be set to fully-qualified right-hand segment of the | domain argument can be set to fully-qualified right-hand segment of the | |||
document host name, up to one level below TLD. | document host name, up to one level below TLD. | |||
For example, www.foo.bar.example.com can set the domain parameter as as | For example, www.foo.bar.example.com can set the domain parameter as as | |||
"bar.example.com" or "example.com", but not to | "bar.example.com" or "example.com", but not to | |||
"something.else.example.com" or "com". | "something.else.example.com" or "com". | |||
If the document-origin would not be able to set a cookie on the domain | If the document-origin would not be able to set a cookie on the domain | |||
following the cookie domain rules [RFC6265] (e.g. domain is not a | following the cookie domain rules [RFC6265] (e.g. domain is not a | |||
right-hand match or is a TLD) then the duplet MUST NOT be entered into the | right-hand match or is a TLD) then the duplet MUST NOT be entered into the | |||
database and a SYNTAX_ERR exception SHOULD be thrown. | database and the returned Promise rejected with a DOMException SYNTAX_ERR. | |||
If permission is stored for an explicit list, then the set of duplets (one | If permission is stored for an explicit list, then the set of duplets (one | |||
per target): | per target): | |||
[*.domain, target] | [*.domain, target] | |||
is added to the database of remembered grants. | is added to the database of remembered grants. | |||
If permission is stored for a site-wide exception, then the duplet: | If permission is stored for a site-wide exception, then the duplet: | |||
skipping to change at line 1481 | skipping to change at line 1468 | |||
If maxAge is supplied and not null, empty or negative the remembered grant | If maxAge is supplied and not null, empty or negative the remembered grant | |||
will be cancelled (i.e. processed as if the relevant Cancel API had been | will be cancelled (i.e. processed as if the relevant Cancel API had been | |||
called) no later than the specified number of seconds following the grant. | called) no later than the specified number of seconds following the grant. | |||
If both maxAge and expires are supplied, maxAge has precedence. If neither | If both maxAge and expires are supplied, maxAge has precedence. If neither | |||
maxAge or expires are supplied, the user agent MAY retain the remembered | maxAge or expires are supplied, the user agent MAY retain the remembered | |||
grant until it is cancelled. | grant until it is cancelled. | |||
7.4.2 API to Cancel a Site-specific Exception | 7.4.2 API to Cancel a Site-specific Exception | |||
Navigator.removeSiteSpecificTrackingException is called by a page to | ||||
cancel a site-specific tracking exception. A RemoveExceptionPropertyBag | ||||
dictionary contains information to identify the exception. | ||||
partial interface Navigator { | partial interface Navigator { | |||
void removeSiteSpecificTrackingException (RemoveExceptionPropertyBag proper | Promise<void> | |||
ties); | removeSiteSpecificTrackingException(RemoveExceptionPropertyBag properties); | |||
}; | }; | |||
removeSiteSpecificTrackingException | ||||
If domain is not supplied or is null or empty then this ensures | ||||
that the database of remembered grants no longer contains any | ||||
duplets for which the first part is the current document origin; | ||||
i.e., no duplets [document-origin, target] for any target. | ||||
If domain is supplied and is not empty then this ensures that the | ||||
database of remembered grants no longer contains any duplets for | ||||
which the first part is the domain wildcard; i.e., no duplets | ||||
[*.domain, target] for any target. | ||||
There is no callback. After the call has been made, it is assured | ||||
that there are no site-specific or site-wide exceptions for the | ||||
given top-level origin. | ||||
Parameter Type Nullable Optional Description | ||||
properties RemoveExceptionPropertyBag ✘ ✘ | ||||
Return type: void | ||||
dictionary RemoveExceptionPropertyBag { | dictionary RemoveExceptionPropertyBag { | |||
DOMString? domain; | DOMString? domain; | |||
}; | }; | |||
domain of type DOMString, nullable | Navigator.removeSiteSpecificTrackingException passes a | |||
RemoveExceptionPropertyBag that can contain the following property: | ||||
domain | ||||
a cookie-domain as defined in [RFC6265], to which the exception | a cookie-domain as defined in [RFC6265], to which the exception | |||
applies. | applies. | |||
When this method returns, the database of grants no longer contains the | If domain is not supplied or is null or empty then this ensures that the | |||
indicated grant(s); if some kind of processing error occurred then an | database of remembered grants no longer contains any duplets for which the | |||
appropriate exception will be thrown. | first part is the current document origin; i.e., no duplets | |||
[document-origin, target] for any target. | ||||
If domain is supplied and is not empty then this ensures that the database | ||||
of remembered grants no longer contains any duplets for which the first | ||||
part is the domain wildcard; i.e., no duplets [*.domain, target] for any | ||||
target. | ||||
A Promise resolving to void is returned. When the Promise has been | ||||
resolved, it is assumed that there are no site-specific or site-wide | ||||
exceptions for the given top-level origin. | ||||
When the returned Promise is resolved, the database of grants no longer | ||||
contains the indicated grant(s); if some kind of processing error occurred | ||||
then an appropriate exception will be thrown. | ||||
If there are no matching duplets in the database of remembered grants when | If there are no matching duplets in the database of remembered grants when | |||
the method is called then this operation does nothing (and does not throw | the method is called then this operation does nothing (and does not throw | |||
an exception). | an exception). | |||
7.4.3 API to Confirm a Site-specific Exception | 7.4.3 API to Confirm a Site-specific Exception | |||
Navigator.confirmSiteSpecificTrackingException is called by a page to | ||||
confirm a site-specific tracking exception. A ConfirmExceptionPropertyBag | ||||
dictionary contains information to identify the exception. | ||||
partial interface Navigator { | partial interface Navigator { | |||
boolean confirmSiteSpecificTrackingException (ConfirmSiteSpecificExceptionP | Promise<boolean> | |||
ropertyBag properties); | confirmSiteSpecificTrackingException(ConfirmExceptionPropertyBag properties); | |||
}; | }; | |||
confirmSiteSpecificTrackingException | ||||
Called by a page to confirm a site-specific tracking exception. | ||||
Parameter Type Nullable Optional Description | ||||
properties ConfirmSiteSpecificExceptionPropertyBag ✘ ✘ | ||||
Return type: boolean | ||||
dictionary ConfirmExceptionPropertyBag { | dictionary ConfirmExceptionPropertyBag { | |||
DOMString? domain; | DOMString? domain; | |||
sequence<DOMString> arrayOfDomainStrings; | ||||
}; | }; | |||
domain of type DOMString, nullable | Navigator.confirmSiteSpecificTrackingException passes a | |||
ConfirmExceptionPropertyBag that can contain the following properties: | ||||
domain | ||||
a cookie-domain as defined in [RFC6265], to which the exception | a cookie-domain as defined in [RFC6265], to which the exception | |||
applies. | applies. | |||
dictionary ConfirmSiteSpecificExceptionPropertyBag : ConfirmExceptionPropertyBa | arrayOfDomainStrings | |||
g { | ||||
sequence<DOMString> arrayOfDomainStrings; | ||||
}; | ||||
arrayOfDomainStrings of type sequence<DOMString>, | ||||
A JavaScript array of strings. | A JavaScript array of strings. | |||
If the call does not include the arrayOfDomainStrings, then this call is | If the call does not include the arrayOfDomainStrings, then this call is | |||
to confirm a site-wide exception. Otherwise each string in | to confirm a site-wide exception. Otherwise each string in | |||
arrayOfDomainStrings specifies a target. | arrayOfDomainStrings specifies a target. | |||
If the list arrayOfDomainStrings is supplied, and the user agent stores | If the list arrayOfDomainStrings is supplied, and the user agent stores | |||
only site-wide exceptions, then the user agent MUST match by confirming a | only site-wide exceptions, then the user agent MUST match by confirming a | |||
site-wide exception. | site-wide exception. | |||
skipping to change at line 1586 | skipping to change at line 1571 | |||
for the existence of all the duplets (one per target): | for the existence of all the duplets (one per target): | |||
[*.domain, target] | [*.domain, target] | |||
If the user agent stores only site-wide exceptions or the call did not | If the user agent stores only site-wide exceptions or the call did not | |||
include an explicit list, and the domain argument is provided and is not | include an explicit list, and the domain argument is provided and is not | |||
empty then the database is checked for the single duplet: | empty then the database is checked for the single duplet: | |||
[*.domain, * ] | [*.domain, * ] | |||
The returned boolean has the following possible values: | The returned Promise resolves to a boolean which has the following | |||
possible values: | ||||
* true all the duplets exist in the database; | * true all the duplets exist in the database; | |||
* false one or more of the duplets does not exist in the database. | * false one or more of the duplets does not exist in the database. | |||
7.5 Web-wide Exceptions | 7.5 Web-wide Exceptions | |||
7.5.1 API to Request a Web-wide Exception | 7.5.1 API to Request a Web-wide Exception | |||
Navigator.storeWebWideTrackingException is called by a page to request the | ||||
addition of a web-wide grant for a specific site to the database. | ||||
partial interface Navigator { | partial interface Navigator { | |||
void storeWebWideTrackingException (StoreExceptionPropertyBag properties); | Promise<void> storeWebWideTrackingException(StoreExceptionPropertyBag | |||
properties); | ||||
}; | }; | |||
storeWebWideTrackingException | Navigator.storeWebWideTrackingException passes a | |||
The single duplet [ * , document-origin] or [ * , *.domain] (based | StoreExceptionPropertyBag, as described in section 7.4.1 API to Request a | |||
on if domain is provided and is not null and not empty) is added | Site-specific Exception. | |||
to the database of remembered grants. The properties of the | ||||
StoreExceptionPropertyBag dictionary are as described above in the | ||||
request for site-specific exceptions. | ||||
Parameter Type Nullable Optional Description | ||||
properties StoreExceptionPropertyBag ✘ ✘ | ||||
Return type: void | ||||
This API requests the addition of a web-wide grant for a specific site to | The single duplet [ * , document-origin] or [ * , *.domain] (based on if | |||
the database. | domain is provided and is not null and not empty) is added to the database | |||
of remembered grants. | ||||
7.5.2 API to Cancel a Web-wide Exception | 7.5.2 API to Cancel a Web-wide Exception | |||
Navigator.removeWebWideTrackingException is called by a page to request | ||||
the removal of a web-wide grant for a specific site from the database. | ||||
partial interface Navigator { | partial interface Navigator { | |||
void removeWebWideTrackingException (RemoveExceptionPropertyBag properties) | Promise<void> removeWebWideTrackingException(RemoveExceptionPropertyBag | |||
; | properties); | |||
}; | }; | |||
removeWebWideTrackingException | Navigator.removeWebWideTrackingException passes a | |||
Ensures that the database of remembered grants no longer contains | RemoveExceptionPropertyBag, as described in section 7.4.2 API to Cancel a | |||
the duplet [ * , document-origin] or [ * , *.domain] (based on if | Site-specific Exception. | |||
domain is provided and is not null and not empty). There is no | ||||
callback. After the call has been made, the indicated pair is | ||||
assured not to be in the database. The same matching process | ||||
defined for determining which header field to send is also used to | ||||
detect which entry (if any) to remove from the database. | ||||
Parameter Type Nullable Optional Description | Ensures that the database of remembered grants no longer contains the | |||
properties RemoveExceptionPropertyBag ✘ ✘ | duplet [ * , document-origin] or [ * , *.domain] (based on if domain is | |||
provided and is not null and not empty). | ||||
Return type: void | A Promise resolving to void is returned. When the Promise is resolved, the | |||
indicated pair is assured not to be in the database. The same matching | ||||
process defined for determining which header field to send is also used to | ||||
detect which entry (if any) to remove from the database. | ||||
7.5.3 API to Confirm a Web-wide Exception | 7.5.3 API to Confirm a Web-wide Exception | |||
Navigator.confirmWebWideTrackingException is called by a page to confirm | ||||
that there exists in the database a web-wide exception for a specific | ||||
site. | ||||
partial interface Navigator { | partial interface Navigator { | |||
boolean confirmWebWideTrackingException (ConfirmExceptionPropertyBag proper | Promise<boolean> | |||
ties); | confirmWebWideTrackingException(ConfirmSiteSpecificExceptionPropertyBag | |||
properties); | ||||
}; | }; | |||
confirmWebWideTrackingException | Navigator.confirmWebWideTrackingException passes a | |||
Confirms that there exists in the database a web-wide exception | ConfirmExceptionPropertyBag, as described in section 7.4.3 API to Confirm | |||
for a specific site. | a Site-specific Exception. | |||
Parameter Type Nullable Optional Description | ||||
properties ConfirmExceptionPropertyBag ✘ ✘ | ||||
Return type: boolean | ||||
The returned boolean indicates whether the duplet [ * , document-origin] | The returned Promise resolves to a boolean indicating whether the duplet [ | |||
or [ * , *.domain] (based on if domain is provided and is not null and not | * , document-origin] or [ * , *.domain] (based on if domain is provided | |||
empty) exists in the database. | and is not null and not empty) exists in the database. | |||
* true indicates that the web-wide exception exists; | * true indicates that the web-wide exception exists; | |||
* false indicates that the web-wide exception does not exist. | * false indicates that the web-wide exception does not exist. | |||
7.6 User Interface Guidelines | 7.6 User Interface Guidelines | |||
This section is non-normative. | This section is non-normative. | |||
As described above, it is the sole responsibility of the site making an | As described above, it is the sole responsibility of the site making an | |||
API call to determine that an exception grant reflects the user's informed | API call to determine that an exception grant reflects the user's informed | |||
skipping to change at line 1804 | skipping to change at line 1791 | |||
exception. | exception. | |||
7.10 Fingerprinting | 7.10 Fingerprinting | |||
By storing a client-side configurable state and providing functionality to | By storing a client-side configurable state and providing functionality to | |||
learn about it later, this API might facilitate user fingerprinting and | learn about it later, this API might facilitate user fingerprinting and | |||
tracking. User agent developers ought to consider the possibility of | tracking. User agent developers ought to consider the possibility of | |||
fingerprinting during implementation and might consider rate-limiting | fingerprinting during implementation and might consider rate-limiting | |||
requests or using other heuristics to mitigate fingerprinting risk. | requests or using other heuristics to mitigate fingerprinting risk. | |||
8. Security Considerations | ||||
TBD. | ||||
9. Privacy Considerations | ||||
This entire specification is addressing privacy considerations. | ||||
A. Acknowledgements | A. Acknowledgements | |||
This specification consists of input from many discussions within and | This specification consists of input from many discussions within and | |||
around the W3C Tracking Protection Working Group, along with written | around the W3C Tracking Protection Working Group, along with written | |||
contributions from Adrian Bateman (Microsoft), Justin Brookman (CDT), | contributions from Adrian Bateman (Microsoft), Justin Brookman (CDT), | |||
Nick Doty (W3C/MIT), Marcos Caceres (Mozilla), Rob van Eijk (Invited | Nick Doty (W3C/MIT), Marcos Caceres (Mozilla), Rob van Eijk (Invited | |||
Expert), Roy T. Fielding (Adobe), Vinay Goel (Adobe), Tom Lowenthal | Expert), Roy T. Fielding (Adobe), Vinay Goel (Adobe), Tom Lowenthal | |||
(Mozilla), Jonathan Mayer (Stanford), Aleecia M. McDonald (Stanford), | (Mozilla), Jonathan Mayer (Stanford), Aleecia M. McDonald (Stanford), | |||
Mike O'Neill (Baycloud Systems), Matthias Schunter (Intel), John Simpson | Mike O'Neill (Baycloud Systems), Matthias Schunter (Intel), John Simpson | |||
(Consumer Watchdog), David Singer (Apple), Rigo Wenning (W3C/ERCIM), | (Consumer Watchdog), David Singer (Apple), Rigo Wenning (W3C/ERCIM), | |||
skipping to change at line 1852 | skipping to change at line 1847 | |||
Security considerations: | Security considerations: | |||
See JSON [RFC7159], Section 12. | See JSON [RFC7159], Section 12. | |||
Interoperability considerations: | Interoperability considerations: | |||
N/A | N/A | |||
Published specification: | Published specification: | |||
Tracking Preference Expression (DNT), section 6.5 Tracking Status | Tracking Preference Expression (DNT), section 6.5 Tracking Status | |||
Representation. | Representation. | |||
http://www.w3.org/TR/tracking-dnt/ | https://www.w3.org/TR/tracking-dnt/ | |||
Applications that use this media type: | Applications that use this media type: | |||
N/A | N/A | |||
Fragment identifier considerations: | Fragment identifier considerations: | |||
N/A | N/A | |||
Additional information: | Additional information: | |||
Deprecated alias names for this type: N/A | Deprecated alias names for this type: N/A | |||
Magic number(s): N/A | Magic number(s): N/A | |||
skipping to change at line 1886 | skipping to change at line 1881 | |||
Roy T. Fielding and David Singer | Roy T. Fielding and David Singer | |||
Change controller: | Change controller: | |||
W3C | W3C | |||
C. References | C. References | |||
C.1 Normative references | C.1 Normative references | |||
[HTML5] | [HTML5] | |||
Ian Hickson; Robin Berjon; Steve Faulkner; Travis Leithead; Erika | HTML5. Ian Hickson; Robin Berjon; Steve Faulkner; Travis Leithead; | |||
Doyle Navara; Edward O'Connor; Silvia Pfeiffer. HTML5. 28 October | Erika Doyle Navara; Theresa O'Connor; Silvia Pfeiffer. W3C. 28 | |||
2014. W3C Recommendation. URL: http://www.w3.org/TR/html5/ | October 2014. W3C Recommendation. URL: | |||
https://www.w3.org/TR/html5/ | ||||
[RFC2119] | [RFC2119] | |||
S. Bradner. Key words for use in RFCs to Indicate Requirement | Key words for use in RFCs to Indicate Requirement Levels. S. | |||
Levels. March 1997. Best Current Practice. URL: | Bradner. IETF. March 1997. Best Current Practice. URL: | |||
https://tools.ietf.org/html/rfc2119 | https://tools.ietf.org/html/rfc2119 | |||
[RFC3986] | [RFC3986] | |||
T. Berners-Lee; R. Fielding; L. Masinter. Uniform Resource | Uniform Resource Identifier (URI): Generic Syntax. T. Berners-Lee; | |||
Identifier (URI): Generic Syntax. January 2005. Internet Standard. | R. Fielding; L. Masinter. IETF. January 2005. Internet Standard. | |||
URL: https://tools.ietf.org/html/rfc3986 | URL: https://tools.ietf.org/html/rfc3986 | |||
[RFC5234] | [RFC5234] | |||
D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax | Augmented BNF for Syntax Specifications: ABNF. D. Crocker, Ed.; P. | |||
Specifications: ABNF. January 2008. Internet Standard. URL: | Overell. IETF. January 2008. Internet Standard. URL: | |||
https://tools.ietf.org/html/rfc5234 | https://tools.ietf.org/html/rfc5234 | |||
[RFC6265] | [RFC6265] | |||
A. Barth. HTTP State Management Mechanism. April 2011. Proposed | HTTP State Management Mechanism. A. Barth. IETF. April 2011. | |||
Standard. URL: https://tools.ietf.org/html/rfc6265 | Proposed Standard. URL: https://tools.ietf.org/html/rfc6265 | |||
[RFC7159] | [RFC7159] | |||
T. Bray, Ed.. The JavaScript Object Notation (JSON) Data | The JavaScript Object Notation (JSON) Data Interchange Format. T. | |||
Interchange Format. March 2014. Proposed Standard. URL: | Bray, Ed.. IETF. March 2014. Proposed Standard. URL: | |||
https://tools.ietf.org/html/rfc7159 | https://tools.ietf.org/html/rfc7159 | |||
[RFC7230] | [RFC7230] | |||
R. Fielding, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol | Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and | |||
(HTTP/1.1): Message Syntax and Routing. June 2014. Proposed | Routing. R. Fielding, Ed.; J. Reschke, Ed.. IETF. June 2014. | |||
Standard. URL: https://tools.ietf.org/html/rfc7230 | Proposed Standard. URL: https://tools.ietf.org/html/rfc7230 | |||
[RFC7231] | [RFC7231] | |||
R. Fielding, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. R. | |||
(HTTP/1.1): Semantics and Content. June 2014. Proposed Standard. | Fielding, Ed.; J. Reschke, Ed.. IETF. June 2014. Proposed | |||
URL: https://tools.ietf.org/html/rfc7231 | Standard. URL: https://tools.ietf.org/html/rfc7231 | |||
[RFC7234] | [RFC7234] | |||
R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. Hypertext | Hypertext Transfer Protocol (HTTP/1.1): Caching. R. Fielding, Ed.; | |||
Transfer Protocol (HTTP/1.1): Caching. June 2014. Proposed | M. Nottingham, Ed.; J. Reschke, Ed.. IETF. June 2014. Proposed | |||
Standard. URL: https://tools.ietf.org/html/rfc7234 | Standard. URL: https://tools.ietf.org/html/rfc7234 | |||
[WEBIDL] | [WEBIDL] | |||
Cameron McCormack; Boris Zbarsky. WebIDL Level 1. 4 August 2015. | Web IDL. Cameron McCormack; Boris Zbarsky; Tobie Langel. W3C. 15 | |||
W3C Working Draft. URL: http://www.w3.org/TR/WebIDL-1/ | December 2016. W3C Working Draft. URL: | |||
https://www.w3.org/TR/WebIDL-1/ | ||||
C.2 Informative references | C.2 Informative references | |||
[KnowPrivacy] | [KnowPrivacy] | |||
Joshua Gomez; Travis Pinnick; Ashkan Soltani. KnowPrivacy. 1 June | KnowPrivacy. Joshua Gomez; Travis Pinnick; Ashkan Soltani. UC | |||
2009. URL: | Berkeley, School of Information. 01 Jun 2009. URL: | |||
http://www.knowprivacy.org/report/KnowPrivacy_Final_Report.pdf | http://www.knowprivacy.org/report/KnowPrivacy_Final_Report.pdf | |||
[Orderly] | [Orderly] | |||
Lloyd Hilaiel. Orderly JSON. 10 Feb 2015. URL: | Orderly JSON. Lloyd Hilaiel.10 Feb 2015. URL: | |||
http://orderly-json.org/ | http://orderly-json.org/ | |||
[RFC5785] | [RFC5785] | |||
M. Nottingham; E. Hammer-Lahav. Defining Well-Known Uniform | Defining Well-Known Uniform Resource Identifiers (URIs). M. | |||
Resource Identifiers (URIs). April 2010. Proposed Standard. URL: | Nottingham; E. Hammer-Lahav. IETF. April 2010. Proposed Standard. | |||
https://tools.ietf.org/html/rfc5785 | URL: https://tools.ietf.org/html/rfc5785 | |||
[RFC6570] | [RFC6570] | |||
J. Gregorio; R. Fielding; M. Hadley; M. Nottingham; D. Orchard. | URI Template. J. Gregorio; R. Fielding; M. Hadley; M. Nottingham; | |||
URI Template. March 2012. Proposed Standard. URL: | D. Orchard. IETF. March 2012. Proposed Standard. URL: | |||
https://tools.ietf.org/html/rfc6570 | https://tools.ietf.org/html/rfc6570 | |||
[TCS] | [TCS] | |||
Nick Doty; Heather West; Justin Brookman; Sean Harvey; Erica | Tracking Compliance and Scope. Nick Doty; Heather West; Justin | |||
Newland. Tracking Compliance and Scope. 14 July 2015. W3C Last | Brookman; Sean Harvey; Erica Newland. W3C. 31 March 2015. W3C | |||
Call Working Draft. URL: http://www.w3.org/TR/tracking-compliance/ | Working Draft. URL: https://www.w3.org/TR/tracking-compliance/ | |||
↑ | ||||
End of changes. 71 change blocks. | ||||
210 lines changed or deleted | 199 lines changed or added | |||
This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |