This specification defines the DNT request header field as an HTTP mechanism for expressing a user's preference regarding tracking, an HTML DOM property to make that expression readable by scripts, and APIs that allow scripts to register exceptions granted by the user. It also defines mechanisms for sites to communicate whether and how they honor a received preference, including well-known resources for retrieving preflight tracking status, a media type for representing tracking status information, and the Tk response header field for confirming tracking status.

This document is an editors' straw man reflecting a snapshot of live discussions within the Tracking Protection Working Group. It does not necessarily constitute working group consensus. This draft has been prepared using the DNT github repository and its associated issues list. However, see the previous issue tracking system for working group decisions prior to 2017.

Introduction

The World Wide Web consists of billions of resources interconnected through the use of hypertext. Hypertext provides a simple, page-oriented view of the information provided by those resources, which can be traversed by selecting links, manipulating controls, and supplying data via forms and search dialogs.

A Web page is often composed of many information sources beyond the initial resource request, including embedded references to stylesheets, inline images, javascript, and other elements that might be automatically requested as part of the rendering or behavioral processing defined for that page. The user's experience is seamless, even if the page has been composed from the results of many network interactions with multiple servers. From the user's perspective, they are simply visiting and interacting with a single Web site: all of the technical details and protocol mechanisms used to compose a page to represent that site are hidden behind the scenes.

Web site owners often collect data regarding usage of their sites, for a variety of purposes, including what led a user to visit the site (referrals), how effective the user experience is within the site (web analytics), and the nature of who is using the site (audience segmentation). In some cases, the data collected is used to dynamically adapt content (personalization) or advertising presented to the user (targeted advertising). Data collection often occurs through insertion of embedded elements on each page, resulting in a stream of data that connects a user's activity across multiple pages. A survey of these techniques and their privacy implications can be found in [[KnowPrivacy]].

Users need a mechanism to express their own preferences regarding tracking that is both simple to configure and efficient when implemented. However, merely expressing a preference does not imply that all recipients will comply. In some cases, a server might be dependent on some forms of tracking and unwilling or unable to turn that off. In other cases, a server might perform only limited forms of tracking that would be acceptable to most users. Therefore, servers need mechanisms for communicating their own tracking behavior, requesting consent, and storing a user-granted exception once the user has made an informed choice.

This specification extends Hypertext Transfer Protocol (HTTP) semantics [[!RFC7231]] to communicate a user's tracking preference, if any, and an origin server's tracking behavior. The DNT request header field is defined for communicating the user's tracking preference for the target resource. A well-known URI for a tracking status resource and the Tk response header field are defined for communicating the server's tracking behavior. In addition, JavaScript APIs are defined for enabling scripts to determine DNT status and register a user-granted exception.

This specification does not define requirements on what a recipient needs to do to comply with a user's expressed tracking preference, except for the means by which such compliance is communicated. Instead, the tracking status provides the ability to identify a set of compliance regimes to which the server claims to comply, with the assumption being that each regime defines its own requirements on compliant behavior. For example, [[TCS]] is a work-in-progress that intends to define such a compliance regime.

Terminology

HTTP

The following terms are used as defined by HTTP/1.1 syntax [[!RFC7230]] and semantics [[!RFC7231]]: client, server, origin server, user agent, sender, recipient, request, response, message, intermediary, proxy, cache, uri-host, authority, header field, target resource, resource, and representation.

HTML

The following terms are used as defined by HTML [[!HTML5]]: active document, document.domain, effective script origin, responsible document, and top-level browsing context.

Activity

Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties.

A network interaction is a single HTTP request and its corresponding response(s): zero or more interim (1xx) responses and a single final (2xx-5xx) response.

A user action is a deliberate action by the user, via configuration, invocation, or selection, to initiate a network interaction. Selection of a link, submission of a form, and reloading a page are examples of user actions. User activity is any set of such user actions.

Participants

A user is a natural person who is making, or has made, use of the Web.

A party is a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user. Common branding or providing a list of affiliates that is available via a link from a resource where a party describes DNT practices are examples of ways to provide this discoverability.

With respect to a given user action, a first party is a party with which the user intends to interact, via one or more network interactions, as a result of making that action. Merely hovering over, muting, pausing, or closing a given piece of content does not constitute a user's intent to interact with another party.

In some cases, a resource on the Web will be jointly controlled by two or more distinct parties. Each of those parties is considered a first party if a user would reasonably expect to communicate with all of them when accessing that resource. For example, prominent co-branding on the resource might lead a user to expect that multiple parties are responsible for the content or functionality.

For any data collected as a result of one or more network interactions resulting from a user's action, a third party is any party other than that user, a first party for that user action, or a service provider acting on behalf of either that user or that first party.

Access to Web resources often involves multiple parties that might process the data received in a network interaction. For example, domain name services, network access points, content distribution networks, load balancing services, security filters, cloud platforms, and software-as-a-service providers might be a party to a given network interaction because they are contracted by either the user or the resource owner to provide the mechanisms for communication. Likewise, additional parties might be engaged after a network interaction, such as when services or contractors are used to perform specialized data analysis or records retention.

For the data received in a given network interaction, a service provider is considered to be the same party as its contractee if the service provider:

  1. processes the data on behalf of the contractee;
  2. ensures that the data is only retained, accessed, and used as directed by the contractee;
  3. has no independent right to use the data other than in a permanently de-identified form (e.g., for monitoring service integrity, load balancing, capacity planning, or billing); and,
  4. has a contract in place with the contractee which is consistent with the above limitations.

Data

A party collects data received in a network interaction if that data remains within the party’s control after the network interaction is complete.

A party uses data if the party processes the data for any purpose other than storage or merely forwarding it to another party.

A party shares data if it transfers or provides a copy of that data to any other party.

Data is permanently de-identified when there exists a high level of confidence that no human subject of the data can be identified, directly or indirectly (e.g., via association with an identifier, user agent, or device), by that data alone or in combination with other retained or available information.

Notational Conventions

Requirements

The key words must, must not, required, should, should not, recommended, may, and optional in this specification are to be interpreted as described in [[!RFC2119]].

Formal Syntax

This specification uses the Augmented Backus-Naur Form (ABNF) notation of [[!RFC5234]] to define network protocol syntax and WebIDL [[!WEBIDL]] to define scripting APIs. Conformance criteria and considerations regarding error handling are defined in Section 2.5 of [RFC7230].

Determining User Preference

The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application that they communicate with via HTTP, thereby allowing recipients of that preference to adjust tracking behavior accordingly or to reach a separate agreement with the user that satisfies all parties.

Key to that notion of expression is that the signal sent MUST reflect the user's preference, not the choice of some vendor, institution, site, or network-imposed mechanism outside the user's control; this applies equally to both the general preference and exceptions. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed.

A user agent MUST offer users a minimum of two alternative choices for a Do Not Track preference: unset or DNT:1. A user agent MAY offer a third alternative choice: DNT:0.

If the user's choice is DNT:1 or DNT:0, the tracking preference is enabled; otherwise, the tracking preference is not enabled.

A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the user's decision to use that agent. For example, use of a general-purpose browser would not imply a tracking preference when invoked normally as SuperFred, but might imply a preference if invoked as SuperDoNotTrack or UltraPrivacyFred.

Implementations of HTTP that are not under control of the user MUST NOT add, delete, or modify a tracking preference. Some controlled network environments, such as public access terminals or managed corporate intranets, might impose restrictions on the use or configuration of installed user agents, such that a user might only have access to user agents with a predetermined preference enabled. However, if a user brings their own Web-enabled device to a library or cafe with wireless Internet access, the expectation will be that their chosen user agent and personal preferences regarding Web site behavior will not be altered by the network environment (aside from blanket limitations on what resources can or cannot be accessed through that network).

An HTTP intermediary MUST NOT add, delete, or modify a tracking preference expression in a request forwarded through that intermediary unless the intermediary has been specifically installed or configured to do so by the user making the request. For example, an Internet Service Provider MUST NOT inject DNT:1 on behalf of all users who have not expressed a preference.

User agents often include user-installable extensions, also known as add-ons or plug-ins, that are capable of modifying configurations and making network requests. From the user's perspective, these extensions are considered part of the user agent and ought to respect the user's configuration of a tracking preference. The user agent as a whole is responsible for ensuring conformance with this protocol, to the extent possible, which means the user agent core and each extension are jointly responsible for conformance. However, there is no single standard for extension interfaces. A user agent that permits such extensions SHOULD provide an appropriate mechanism for extensions to determine the user's tracking preference.

A user agent extension MUST NOT alter the tracking preference expression or its associated configuration unless the act of installing and enabling that extension is an explicit choice by the user for that tracking preference, or the extension itself complies with all of the requirements this protocol places on a user agent.

Likewise, software outside of the user agent might filter network traffic or cause a user agent's configuration to be changed. Software that alters a user agent configuration MUST adhere to the above requirements on a user agent extension. Software that filters network traffic MUST adhere to the above requirements on an HTTP intermediary.

Aside from the above requirements, we do not specify how the tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for determining the user experience by which a tracking preference is enabled.

For example, a user might select a check-box in their user agent's configuration, install an extension that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., Privacy settings: high). A user agent might ask the user for their preference during startup, perhaps on first use or after an update adds the tracking protection feature. Likewise, a user might install or configure a proxy to add the expression to their own outgoing requests.

Expressing a Tracking Preference

Expression Format

When a user has enabled a tracking preference, that preference needs to be expressed to all mechanisms that might perform or initiate tracking.

When enabled, a tracking preference is expressed as either:

DNT meaning
1 This user prefers not to be tracked on this request.
0 This user prefers to allow tracking on this request.

A user agent MUST NOT send a tracking preference expression if a tracking preference is not enabled. This means that no expression is sent for each of the following cases:

In the absence of regulatory, legal, or other requirements, servers MAY interpret the lack of an expressed tracking preference as they find most appropriate for the given user, particularly when considered in light of the user's privacy expectations and cultural circumstances. Likewise, servers might make use of other preference information outside the scope of this protocol, such as site-specific user preferences or third-party registration services, to inform or adjust their behavior when no explicit preference is expressed via this protocol.

This specification defines a protocol for communicating the user's tracking preference, not a protocol that prevents tracking on its own. It might be tempting to assume that design for privacy would justify calling for DNT:1 to be preconfigured as the default for all user agents. However, that would violate the field's semantics, make its presence in a request meaningless, and add eight extra bytes to every HTTP request (with no effect).

The DNT signal alone does nothing to enhance a user's privacy. It is only when recipients believe that the signal has been deliberately and knowingly configured, and not defined as a default, that they will consider it to be the user's preference. Furthermore, when no signal is sent, recipients remain subject to whatever regulatory, legal, or other regional requirements regarding tracking exist in the absence of consent.

DNT Header Field for HTTP Requests

The DNT header field is a mechanism for expressing the user's tracking preference in an HTTP request ([[!RFC7230]]). At most one DNT header field can be present in a valid request.

DNT-field-name  = "DNT"
DNT-field-value = ( "0" / "1" ) *DNT-extension

A user agent MUST NOT generate a DNT header field if the user's tracking preference is not enabled.

A user agent MUST generate a DNT header field with a field-value that begins with the numeric character "1" if the user's tracking preference is enabled, their preference is for DNT:1, and no exception has been granted for the target resource (see ).

A user agent MUST generate a DNT header field with a field-value that begins with the numeric character "0" if the user's tracking preference is enabled and their preference is for DNT:0, or if an exception has been granted for the target resource.

A proxy MUST NOT generate a DNT header field unless it has been specifically installed or configured to do so by the user making the request and adheres to the above requirements as if it were a user agent.

GET /something/here HTTP/1.1
Host: example.com
DNT: 1

Extensions to the DNT Field Value

The remainder of the DNT field-value, after the initial character, is reserved for future extensions. DNT extensions can only be transmitted when a tracking preference is enabled. The extension syntax is restricted to visible ASCII characters that can be parsed as a single word in HTTP and safely embedded in a JSON string without further encoding ().

DNT-extension   = %x21 / %x23-2B / %x2D-5B / %x5D-7E
                ; excludes CTL, SP, DQUOTE, comma, backslash

For example, additional characters might indicate modifiers to the main preference expressed by the first digit, such that the main preference will be understood if the recipient does not understand the extension. Hence, a field-value of "1xyz" can be thought of as do not track, but if you understand the refinements defined by x, y, or z, then adjust my preferences according to those refinements.

User agents that do not implement DNT extensions MUST NOT send DNT-extension characters in the DNT field-value. Servers that do not implement DNT extensions SHOULD ignore anything beyond the first character.

This DNT-extension feature is at-risk because no known extensions have been defined; implementors that do not read this specification are likely to assume that DNT only has the fixed values of "0" or "1". Furthermore, the potential benefits of this mechanism are unclear given that extension information could be supplied using separate request header fields and inappropriate extensions to the "1" value might cause the user's requests to be more easily fingerprinted.

JavaScript Property to Detect Preference

The Navigator.doNotTrack property enables a client-side script with read access to the Navigator object [[!HTML5]] to determine what DNT header field value would be sent in requests to the effective script origin, taking into account the user's general preference (if any) and the current user-granted exceptions applicable to that target domain.

        partial interface Navigator {
            readonly attribute DOMString? doNotTrack;
        };
      

The value of Navigator.doNotTrack is the string value that would be sent in a DNT field-value () in a request to the effective script origin. The value is null if no DNT header field would be sent (e.g., because a tracking preference is not enabled); otherwise, the value is a string beginning with "0" or "1", possibly followed by DNT-extension characters.

Because activity in multiple browsing contexts can determine the current value of Navigator.doNotTrack, it is only guaranteed to be accurate during the resolution of a TrackingException API Promise.

Tracking Preference Expressed in Other Protocols

A user's tracking preference is intended to apply in general, regardless of the protocols being used for Internet communication. However, it is beyond the scope of this specification to define how a user's tracking preference might be communicated via protocols other than HTTP.

Communicating a Tracking Status

Overview

In addition to expressing the user's preference regarding tracking, this protocol enables servers to communicate machine-readable claims regarding their own tracking behavior. Since a personalized tracking status on every response would disable caching, a combination of response mechanisms are defined to allow the tracking status to be communicated prior to making a trackable request and without making every response dynamic.

Tracking Status Value

Definition

A tracking status value (TSV) is a single character response to the user's tracking preference with regard to data collected via the designated resource. For a site-wide tracking status resource, the designated resource is any resource on the same origin server. For a Tk response header field, the target resource of the corresponding request is the designated resource, and remains so for any subsequent request-specific tracking status resource referred to by the Tk field value.

The tracking status value is case sensitive, as defined formally by the following ABNF.

TSV    = %x21   ; "!" — under construction
       / %x3F   ; "?" — dynamic
       / %x47   ; "G" — gateway to multiple parties
       / %x4E   ; "N" — not tracking
       / %x54   ; "T" — tracking
       / %x43   ; "C" — tracking with consent
       / %x50   ; "P" — tracking only if consented
       / %x44   ; "D" — disregarding DNT
       / %x55   ; "U" — updated
       / TSV-extension

Under Construction (!)

A tracking status value of ! means that the origin server is currently testing its communication of tracking status. The ! value has been provided to ease testing and deployment on production systems during the initial periods of testing compliance and during adjustment periods due to future protocol changes or shifting regulatory constraints. Note that this value does not indicate that the user's preference will be ignored, nor that tracking will occur as a result of accessing the designated resource.

Dynamic (?)

A tracking status value of ? means the origin server needs more information to determine tracking status, usually because the designated resource dynamically adjusts behavior based on information in a request.

If ? is present in the site-wide tracking status, the origin server MUST send a Tk header field in all responses to requests on the designated resource. If ? is present in the Tk header field, more information will be provided in a request-specific tracking status resource referred to by the status-id. An origin server MUST NOT send ? as the tracking status value in the representation of a request-specific tracking status resource.

Gateway (G)

A tracking status value of G means the server is acting as a gateway to an exchange involving multiple parties. This might occur if a response to the designated resource involves an automated selection process, such as dynamic bidding, where the party that is selected determines how the request data will be treated with respect to an expressed tracking preference. Similar to the ? value, the G TSV indicates that the actual tracking status is dynamic and will be provided in the response message's Tk header field, presumably using information forwarded from the selected party.

This tracking status value is only valid as a site-wide status. A server MUST NOT send G as the tracking status value in a Tk header field or within the representation of a request-specific tracking status resource.

If G is present in the site-wide tracking status:

  • the gateway MUST send a link within its site-wide tracking status representation to a privacy policy that explains what limitations are placed on parties that might receive data via that gateway;
  • the gateway MUST forward any expressed tracking preference in the request to each party that receives data from that request;
  • the gateway MUST have a contract in place with each of the parties to whom it provides request data such that only the selected party is allowed to retain tracking data from a request with an expressed tracking preference of DNT:1; and,
  • the gateway MUST send a Tk header field in responses to requests on the designated resource and include within that field's value a status-id specific to the selected party, such that information about the selected party can be obtained via the request-specific tracking status resource (see ).

With respect to tracking performed by the gateway itself, the G response can be considered equivalent to the T (tracking) response defined below. The other information within the site-wide tracking status representation indicates how the gateway intends to comply with an expressed tracking preference, aside from the potential sharing of data implied by the gateway process.

Not Tracking (N)

A tracking status value of N means the origin server claims that data collected via the designated resource is not used for tracking and will not be combined with other data in a form that would enable tracking.

Tracking (T)

A tracking status value of T means the origin server might perform or enable tracking using data collected via the designated resource. Information provided in the tracking status representation might indicate whether such tracking is limited to a set of commonly accepted uses or adheres to one or more compliance regimes.

Consent (C)

A tracking status value of C means that the origin server believes it has received prior consent for tracking this user, user agent, or device, perhaps via some mechanism not defined by this specification, and that prior consent overrides the tracking preference expressed by this protocol. An origin server that sends the C tracking status value for a designated resource MUST provide a reference for controlling consent within the config property of its corresponding tracking status representation ().

Potential Consent (P)

A tracking status value of P means that the origin server does not know, in real-time, whether it has received prior consent for tracking this user, user agent, or device, but promises not to use or share any DNT:1 data until such consent has been determined, and further promises to delete or permanently de-identify within forty-eight hours any DNT:1 data received for which such consent has not been received.

Since this status value does not itself indicate whether a specific request is tracked, an origin server that sends a P tracking status value MUST provide a config property in the corresponding tracking status representation that links to a resource for obtaining consent status.

The P tracking status value is specifically meant to address audience survey systems for which determining consent at the time of a request is either impractical, due to legacy systems not being able to keep up with Web traffic, or potentially "gamed" by first party sites if they can determine which of their users have consented. The data cannot be used for the sake of personalization. If consent can be determined at the time of a request, the C tracking status is preferred.

Disregarding (D)

A tracking status value of D means that the origin server is unable or unwilling to respect a tracking preference received from the requesting user agent. An origin server that sends the D tracking status value MUST detail within the server's corresponding privacy policy the conditions under which a tracking preference might be disregarded.

For example, an origin server might disregard the DNT field received from specific user agents (or via specific network intermediaries) that are deemed to be non-conforming, might be collecting additional data from specific source network locations due to prior security incidents, or might be compelled to disregard certain DNT requests to comply with a local law, regulation, or order.

This specification is written with an assumption that the D tracking status value would only be used in situations that can be adequately described to users as an exception to normal behavior. If this turns out not to be the case, either the server's decision to send the D signal needs re-examination, or this specification, or both.

Updated (U)

A tracking status value of U means that the request resulted in a potential change to the tracking status applicable to this user, user agent, or device. A user agent that relies on a cached tracking status SHOULD update the cache entry with the current status by making a new request on the applicable tracking status resource.

An origin server MUST NOT send U as a tracking status value anywhere other than a Tk header field that is in response to a state-changing request.

Extensions to the Tracking Status Value

Extensibility of the TSV set ensures that this protocol will continue to be usable as regional laws and regulatory environments evolve over time and compliance specifications are developed accordingly.

An origin server MAY send a TSV-extension character as a TSV if that extension has been defined by a future version of this specification or a compliance regime identified within the compliance property. Aside from storage or presentation of a server's response, a recipient MUST treat a TSV-extension value that it does not recognize as if the value was P (tracking only if consented).

TSV-extension = %x23-25  ; #$%
              / %x2A-3B  ; *+,-./0-9:;
              / %x40-42  ; @AB
              / %x45-46  ; EF
              / %x48-4D  ; HIJKLM
              / %x4F     ; O
              / %x51-53  ; QRS
              / %x56-5A  ; VWXYZ
              / %x5F     ; _
              / %x61-7A  ; a-z

Tk Header Field for HTTP Responses

Definition

The Tk response header field is a means for indicating the tracking status that applied to the corresponding request. An origin server is REQUIRED to send a Tk header field if its site-wide tracking status value is ? (dynamic) or G (gateway), or when an interactive change is made to the tracking status and indicated by U (updated).

Tk-field-name   =  "Tk"
Tk-field-value  =  TSV [ ";" status-id ]

The Tk field-value begins with a tracking status value (), optionally followed by a semicolon and a status-id that refers to a request-specific tracking status resource ().

For example, a Tk header field for a resource that claims not to be tracking would look like:

Tk: N

Referring to a Request-specific Tracking Status Resource

If an origin server has multiple, request-specific tracking policies, such that the tracking status might differ depending on some aspect of the request (e.g., method, target resource, header fields, data, etc.), the origin server can provide an additional subtree of well-known resources corresponding to each of those distinct tracking statuses. The status-id portion of the Tk field-value indicates which specific tracking status resource applies to the current request. The status-id is case-sensitive.

status-id       =  1*id-char
id-char         =  ALPHA / DIGIT / "_" / "-" / "+" / "=" / "/"

For example, a response containing

Tk: T;fRx42

indicates that data collected via the target resource might be used for tracking and that an applicable tracking status representation can be obtained by performing a retrieval request on

/.well-known/dnt/fRx42

Note that the status-id is resolved relative to the origin server of the current request. A retrieval request targeting that URI can be redirected, if desired, to some other server. The status-id has been intentionally limited to a small set of characters to encourage use of short tokens instead of potentially long, human-readable strings.

If a Tk field-value has a tracking status value of ? (dynamic), the origin server MUST send a status-id in the field-value.

Indicating an Interactive Status Change

Interactive mechanisms might be used, beyond the scope of this specification, that have the effect of asking for and obtaining prior consent for tracking, or for modifying prior indications of consent. For example, the tracking status resource's status object defines a config property that can refer to such a mechanism. Although such out-of-band mechanisms are not defined by this specification, their presence might influence the tracking status object's response value.

When an origin server provides a mechanism via HTTP for establishing or modifying out-of-band tracking preferences, the origin server MUST indicate within the mechanism's response when a state-changing request has resulted in a change to the tracking status for that server. This indication of an interactive status change is accomplished by sending a Tk header field in the response with a tracking status value of U (updated).

Tk: U

Tracking Status Resource

Site-wide Tracking Status

A site-wide tracking status resource provides information about the potential tracking behavior of resources located at that origin server. A site-wide tracking status resource has the well-known identifier

/.well-known/dnt/

relative to the origin server's URI [[RFC5785]].

An origin server that receives a valid GET request targeting its site-wide tracking status resource MUST send either a successful response containing a machine-readable representation of the site-wide tracking status, as defined below, or a sequence of redirects that leads to such a representation. Failure to provide access to such a representation implies that the origin server does not implement this protocol. The representation can be cached, as described in .

See for examples of how tracking status resources can be used to discover support for this protocol.

Request-specific Tracking Status

If an origin server has multiple, request-specific tracking policies, such that the tracking status might differ depending on some aspect of the request (e.g., method, target resource, header fields, data, etc.), the origin server can provide an additional subtree of well-known resources corresponding to each of those distinct tracking statuses. The Tk response header field () can include a status-id to indicate which specific tracking status resource applies to the current request.

A tracking status resource space is defined by the following URI Template [[RFC6570]]:

/.well-known/dnt/{+status-id}

where the value of status-id is a string of URI-safe characters provided by a Tk field-value in response to a prior request. For example, a prior response containing

Tk: ?;ahoy

refers to the specific tracking status resource

/.well-known/dnt/ahoy

Resources within the request-specific tracking status resource space are represented using the same format as a site-wide tracking status resource.

Status Checks are Not Tracked

When sending a request for the tracking status, a user agent SHOULD include any cookie data [[RFC6265]] (set prior to the request) that would be sent in a normal request to that origin server, since that data might be needed by the server to determine the current tracking status. For example, the cookie data might indicate a prior out-of-band decision by the user to opt-out or consent to tracking by that origin server.

An origin server MUST NOT retain tracking data regarding requests on the site-wide tracking status resource or within the tracking status resource space, regardless of the presence, absence, or value of a DNT header field, cookies, or any other information in the request. In addition, an origin server MUST NOT send Set-Cookie or Set-Cookie2 header fields in responses to those requests, including the responses to redirected tracking status requests, and MUST NOT send a response having content that initiates tracking beyond what was already present in the request. A user agent SHOULD ignore, or treat as an error, any Set-Cookie or Set-Cookie2 header field received in such a response.

Caching

If the tracking status is applicable to all users, regardless of the received DNT field-value and other data received via the request, then the origin server SHOULD mark the response as cacheable [[!RFC7234]] and assign a time-to-live (expiration or max-use) that is sufficient to enable shared caching but not greater than the earliest point at which the service's tracking behavior might increase.

For example, if the tracking status response is set to expire in seven days, then the earliest point in time that the service's tracking behavior can be increased is seven days after the tracking status representation has been updated to reflect the new behavior, since old copies might persist in caches until the expiration is triggered. A service's tracking behavior can be reduced at any time, with or without a corresponding change to the tracking status resource.

If the tracking status is only applicable to users that have the same DNT field-value, the origin server MUST send a Vary header field that includes "DNT" in its field-value or a Cache-Control header field containing one of the following directives: "private", "no-cache", "no-store", or "max-age=0".

If the tracking status is only applicable to the specific user that requested it, then the origin server MUST send a Cache-Control header field containing one of the following directives: "private", "no-cache", or "no-store".

Regardless of the cache-control settings, it is expected that user agents will check the tracking status of a service only once per session (at most). A public Internet site that intends to change its tracking status to increase tracking behavior MUST update the tracking status resource in accordance with that planned behavior at least twenty-four hours prior to activating that new behavior on the service.

A user agent that adjusts behavior based on active verification of tracking status, relying on cached tracking status responses to do so, SHOULD check responses to its state-changing requests (e.g., POST, PUT, DELETE, etc.) for a Tk header field with the U tracking status value, as described in .

Tracking Status Representation

For each tracking status resource, an origin server MUST provide a valid representation using the application/tracking-status+json media type. This media type consists of a status object serialized as JSON [[!RFC7159]]. More information about the application/tracking-status+json media type can be found in .

Status Object

A tracking status representation consists of a single status object containing properties that describe the tracking status applicable to the designated resource. Most of the properties are optional and can be extended over time, as illustrated by the following Orderly schema [[Orderly]]:

object {
    string tracking;                 // TSV
    array { string; } compliance?;   // hrefs
    string qualifiers?;              // compliance flags
    array { string; } controller?;   // hrefs
    array { string; } same-party?;   // domains
    array { string; } audit?;        // hrefs
    string policy?;                  // href
    string config?;                  // href
}*;

The following example representation demonstrates a status object with all of the properties defined by this specification.

{
  "tracking": "T",
  "compliance": ["https://acme.example.org/tracking101"],
  "qualifiers": "afc",
  "controller": ["https://www.example.com/privacy"],
  "same-party": [
    "example.com",
    "example_vids.net",
    "example_stats.com"
  ],
  "audit": [
    "http://auditor.example.org/727073"
  ],
  "policy": "/privacy.html#tracking",
  "config": "http://example.com/your/data"
}

Tracking Property

A status object MUST have a property named tracking with a string value containing the tracking status value () applicable to the designated resource.

For example, the following demonstrates a minimal tracking status representation that is applicable to any resource that does not perform tracking.

{"tracking": "N"}

Compliance Property

An origin server MAY send a property named compliance with an array value containing a list of URI references that identify specific regimes to which the origin server claims to comply for the designated resource. Communicating such a claim of compliance is presumed to improve transparency, which might influence a user's decisions or configurations regarding allowed tracking.

If an origin server sends a TSV-extension or an extension property in the status object that is not defined by successors of this specification, the origin server MUST send a compliance property that contains a reference to the definitive specification of that extension. If more than one reference in the compliance array defines the same extension value, the origin server SHOULD list the array of references in order by intended precedence.

Qualifiers Property

An origin server MAY send a property named qualifiers with a string value containing a sequence of case sensitive characters corresponding to explanations or limitations on the extent of tracking. Multiple qualifiers indicate that multiple explanations or forms of tracking might apply for the designated resource. The meaning of each qualifier is presumed to be defined by one or more of the regimes listed in compliance.

Controller Property

An origin server MAY send a property named controller with an array value containing a list of URI references indirectly identifying the party or set of parties that claims to be the responsible data controller for personal data collected via the designated resource. An origin server MUST send a controller property if the responsible data controller does not own the designated resource's domain name.

An origin server that does not send controller is implying that its domain owner is the sole data controller; information about the data controller ought to be found on the designated resource's site root page, or by way of a clearly indicated link from that page (i.e., an absent controller property is equivalent to: "controller":["/"]).

If the designated resource has joint data controllers (i.e., multiple parties have independent control over the collected data), the origin server MUST send a controller property that contains a reference for each data controller.

Each URI reference provided in controller ought to refer to a resource that, if a retrieval action is performed on that URI, would provide the user with information regarding (at a minimum) the identity of the corresponding party and its data collection practices.

Same-party Property

Since a user's experience on a given site might be composed of resources that are assembled from multiple domains, it might be useful for a site to distinguish those domains that are subject to their own control (i.e., share the same data controller as the referring site). An origin server MAY send a property named same-party with an array value containing a list of domain names that the origin server claims are the same party, to the extent they are referenced by the designated resource, if all data collected via those references share the same data controller as the designated resource.

A user agent might use the same-party array, when provided, to inform or enable different behavior for references that are claimed to be same-party versus those for which no claim is made. For example, a user agent might choose to exclude, or perform additional pre-flight verification of, requests to other domains that have not been claimed as same-party by the referring site.

Audit Property

An origin server MAY send a property named audit with an array value containing a list of URI references to external audits of the designated resource's privacy policy and tracking behavior. Preferably, the audit references are to resources that describe the auditor and the results of that audit; however, if such a resource is not available, a reference to the auditor is sufficient.

Policy Property

An origin server MAY send a property named policy with a string value containing a URI reference to a human-readable document that describes the relevant privacy policy for the designated resource. This document can inform users about data that might be collected when the designated resource is accessed and how collection, use, or sharing of such data might differ based on receipt of an expressed tracking preference (DNT:1 or DNT:0).

An origin server MUST send a policy property if that server is the effective script origin of a script that calls the JavaScript API for storing a user-granted exception, as described in .

The content of such a policy document is beyond the scope of this protocol and only supplemental to what is described in the machine-readable tracking status representation. If no policy property is provided, this information might be obtained via the links provided in controller.

If the policy associated with a designated resource happens to be defined as a common standard that is applicable to multiple sites, or includes such a standard by reference, that standard ought to be referenced by a URI within the machine-readable compliance property.

Config Property

An origin server MAY send a property named config with a string value containing a URI reference to a resource for giving the user control over personal data collected via the designated resource (and possibly other resources). If the tracking status value indicates prior consent (C), the origin server MUST send a config property referencing a resource that describes how such consent is established and how to revoke that consent.

A config resource might include the ability to review past data collected, delete some or all of the data, provide additional data (if desired), or opt-in, opt-out, or otherwise modify an out-of-band consent status regarding data collection. The design of such a resource, the extent to which it can provide access to that data, and how one might implement an out-of-band consent mechanism are beyond the scope of this protocol.

If no config property is provided, this information might be obtained via the links provided in controller or policy.

Extensions to the Status Object

Extensibility of the status object ensures that this protocol will continue to be usable as regional laws and regulatory environments evolve over time and compliance specifications are developed accordingly.

An origin server MAY send additional properties in the status object if those extensions have been defined by a future version of this specification or a compliance regime identified within the compliance property. Aside from storage or presentation of a server's response, a recipient MUST ignore extension properties that it does not recognize.

Status Code for Tracking Required

If an origin server receives a request with DNT:1, does not have out-of-band consent for tracking this user, and wishes to deny access to the requested resource until the user provides some form of user-granted exception or consent for tracking, then the origin server SHOULD send a 409 (Conflict) response with a message payload that describes why the request has been refused and how one might supply the required consent or exception to avoid this conflict [[!RFC7231]].

The 409 response ought to include a user authentication mechanism in the header fields and/or message body if user login is one of the ways through which access is granted.

Using the Tracking Status

This section is for collecting use cases that describe questions a user agent might have about tracking status and how the protocol can be used to answer such questions. More cases are needed.

Discovering Deployment

Deployment of this protocol for a given service can be discovered by making a retrieval request on the site-wide tracking resource /.well-known/dnt/ relative to the service URI.

If the response is an error, then the service does not implement this standard. If the response is a redirect, then follow the redirect to obtain the tracking status (up to some reasonable maximum of redirects to avoid misconfigured infinite request loops). If the response is successful, obtain the tracking status representation from the message payload, if possible, or consider it an error.

Preflight Checks

A key advantage of providing the tracking status at a resource separate from the site's normal services is that the status can be accessed and reviewed prior to making use of those services.

A user agent can check the tracking status for a designated resource by first making a retrieval request for the site-wide tracking status representation, as described above, and then parsing the representation as JSON to extract the status object. If the retrieval is unsuccessful or parsing results in a syntax error, the user agent ought to consider the site to be non-conformant with this protocol.

The status object is supposed to have a property named tracking containing the tracking status value. The meaning of each tracking status value is defined in .

If the tracking status value is N, then the origin server claims that no tracking is performed for the designated resource for at least the next 24 hours or until the Cache-Control information indicates that this response expires.

If the tracking status value is not N, then the origin server claims that it might track the user agent for requests on the URI being checked for at least the next 24 hours or until the Cache-Control information indicates that this response expires.

User-Granted Exceptions

Motivating Principles

The following principles guide the design of user-granted exceptions.

Exception Model

A user-granted exception is the record of a decision by the user to grant consent for tracking (DNT:0) on future requests from a given context to a set of target domains. Both context and target are scoped by domain, similar to the existing domain scope of cookies (Section 5.3.1 of [[!HTML5]]), in order to avoid asking the user's exception for every subdomain context of a site and every target resource that might be referenced.

A client-side database can be used for persistent storage of user-granted exceptions, such that permission to send DNT:0 is obtained by a site and stored via a JavaScript API. However, we only define the API (below); the choice of storage mechanism is left to each implementation. In comparison to the use of cookies to manage consent, an exception database and APIs provide more transparency and better user control over their own consent decisions, while also providing better persistence of those exceptions for sites.

There are potentially three different domain concepts involved in the processing of user-granted exceptions:

script domain
the default context of a script when it accesses the exception database: specifically, the current document.domain of the script's responsible document.
site domain
the context of a given reference for which the user-granted exceptions API might be queried: specifically, the current document.domain of the top-level browsing context's active document.
target domain
the uri-host subcomponent of the authority component of a referenced "http" or "https" URI

A user-granted exception is site-specific if the context is limited to requests embedded in, or referred by, a given site domain; otherwise, the exception is web-wide and applies to all contexts. For example, a user might wish to grant a target domain a web-wide exception for the purpose of audience surveys, perhaps in exchange for some incentive.

When asking for a site-specific exception, the site making the request might make some implicit or explicit claims as to the actions and behavior of its third parties; for this reason, a site might want to establish exceptions for only those target domains for which it can be sure that those claims are true. (Consider a site that has some trusted advertisers and analytics providers, along with some mashed-up content from less-trusted sites). For this reason, site-specific exceptions can either be limited to a named set of target domains or applicable to any target domain ("*").

Granting an Exception

This section is supposed to describe how a site would go about asking the user for the various types of exception. The existing text is lacking that necessary information.

It is expected that a site will explain to the user, in its online content, the need for an exception and the consequences of granting or denying that exception.

The user agent adds to its local database one or more site-pair duplets [document-origin, target]; one or the other of these MAY be a wild-card ("*").

A site MAY ask for an exception, and have it stored, even when the user's general preference is not enabled. This permits the sending of DNT only for target resources for which an expressed preference is desired (see ).

A site MUST ensure that a call to store an exception reflects the user's intention to grant an exception at the time of that call. It is the sole responsibility of the site to determine that a call to record an exception reflects the user's informed consent at the time of that call.

A site MAY monitor for changes to its user-granted exceptions. If a user revokes consent by deleting an exception, the site MUST respect that revocation, though it MAY ask again for a new exception. In other words, a site MUST NOT resurrect a deleted exception without first interacting with and receiving new consent from the user.

A site MUST have a site-wide tracking status resource with a valid tracking status representation that includes a policy property when making an API call to store a user-granted exception. This allows a user agent to obtain and possibly store additional information about the calling site’s controller and tracking policies at the time an exception is granted.

A user agent MAY choose to reject an API call if it cannot determine the script origin or if the script origin does not have a site-wide tracking status resource with a valid tracking status representation.

A user agent MAY choose to disregard a user-granted exception when the target resource does not have a corresponding tracking status resource with a valid tracking status representation, since that would imply the target resource does not conform to this specification.

A user-agent MUST handle each API request as a 'unit', granting and maintaining it in its entirety, or not at all. That means that a user agent MUST NOT indicate to a site that a request for targets {a, b, c} exists in the database, and later remove only one or two of {a, b, c} from its logical database of remembered grants. This assures sites that the set of sites they need for operational integrity is treated as a unit. Each separate call to an API is a separate unit.

There is no required user interface for a user agent regarding the granting of exceptions; a user agent MAY choose to provide none. Alternatively, a user agent MAY:

When an explicit list of domains is provided through the API, their names might mean little to the user. The user might, for example, be told that there is a stored exception for a specific set of sites on such-and-such top-level origin, rather than listing them by name; or the user agent might decide to store a site-wide exception, effectively ignoring any list of domain names.

Conversely, if a wild-card is used, the user might be told that there is a stored exception for all third-parties that are embedded by the indicated top-level origin.

Exception Management

User agents are free to implement exception management user interfaces as they see fit. Some agents might provide a notification to the user at the time of the request, or even not complete the storing of the exception until the user approves. Some agents might provide a user-interface to see and edit the database of recorded exception grants.

The API parameters siteName, explanationString, and detailURI are provided so that the user agent can use them in their user interface. If a user agent presents these parameters to the user, it ought to be clear that they are provided for informational value and are less important than the exception's technical effect.

A user agent that chooses to highlight when tracking exceptions have been stored might provide an interface like the following:

In some user agent implementations, decisions to grant exceptions might have been made in the past (and since forgotten) or might have been made by other users of the device. Thus, exceptions might not always represent the current preferences of the user. Some user agents might choose to provide ambient notice that user-opted tracking is ongoing, or easy access to view and control these preferences. Users might also desire to edit exceptions within a separate user interface, which would allow a user to modify their stored exceptions without visiting the target sites.

Checking an Exception

A user agent is expected to query the exceptions database at the time of a request in order to determine what value (if any) to send as the user's tracking preference.

A pair of duplets [A,B] and [X,Y] match if A matches X and B matches Y. A pair of values A and X match if and only if one of the following is true:

For example, a user might grant exception for metrics.example.net to track their activity on news.example.com and weather.example.com, but not on medical.example.org. If the document at http://news.example.com/news/story/2098373.html has embedded references to http://metrics.example.net/1x1.gif and http://weather.example.com/widget.js, the site domain (context) for those references is news.example.com and the target domains are metrics.example.net and weather.example.com, respectively.

Exception API

In the description below, the terms throw, Promise and the exception names SYNTAX_ERR and SECURITY_ERR are defined in [[!WEBIDL-LS]]

The terms resolving a Promise and rejecting a Promise are used as explained in [PROMGUIDE].

We currently specify six different APIs (plus the doNotTrack property which now appears to be useless) with three distinct definitions of an exception record and three distinct return types. Also, we use a single (inappropriate) exception to signal all errors.

What we should have is one exception record and three APIs for store/confirm/delete with a single Promise<T> return type and a distinct exception name for each error. The interfaces should be defined using an algorithm similar to other specifications of promise-based interfaces. We should also remove the expires field since it was intended to be replaced (everywhere) by maxAge and is only kept in HTTP for legacy reasons.

API to Request a Tracking Exception

Navigator.storeTrackingException is called by a page to store a tracking exception, which can be site-specific, site-wide site-specific, or web-wide. A StoreExceptionPropertyBag dictionary contains the information to be stored for that exception. It returns a Promise which either resolves to an ExceptionResult result, or is rejected with a DOMException identifying the reason for the failure.

        partial interface Navigator {
            Promise<ExceptionResult> storeTrackingException (
            StoreExceptionPropertyBag properties
            );
        };
        dictionary StoreExceptionPropertyBag {
           DOMString? domain;
           boolean? isWebWide;
           sequence<DOMString>? arrayOfDomainStrings;
           DOMString? siteName;
           DOMString? explanationString;
           DOMString? detailURI;
           DOMString? expires;
           long?      maxAge;
        };
        dictionary ExceptionResult {
          boolean? isSiteWide;
          boolean? exists;
        };
        

Navigator.storeTrackingException passes a StoreExceptionPropertyBag that can contain the following properties:

isWebWide
A boolean specifying this request to be for a web-wide exception. If isWebWide is empty, false or null this is for a site-specific exception
domain
a cookie-domain as defined in [[!RFC6265]], to which the exception applies.
arrayOfDomainStrings
A JavaScript array of strings.
siteName
A user-readable string for the name of the top-level origin.
explanationString
A short explanation of the request.
detailURI
A location at which further information about this request can be found.
expires
A date and time, encoded as described for the cookie Expires attribute described in [[RFC6265]], indicating the maximum lifetime of the remembered grant.
maxAge
A positive number of seconds indicating the maximum lifetime of the remembered grant.

Calling storeTrackingException returns a Promise which either resolves to an ExceptionResult object, or is rejected with a DOMException result. The Promise resolves immediately the Tracking Exception request has been processed, with the property isSiteWide set to true if the request was for a site-specific exception and the resulting operation is site-wide.

If the request is for a site-specific exception and it does not include the arrayOfDomainStrings, then this request is for a site-wide, site-specific exception. Otherwise each string in arrayOfDomainStrings specifies a target domain.

If the list arrayOfDomainStrings is supplied and the request is for a site-specific exception, the user agent MAY choose to store a site-wide, site-specific exception. If it does so it MUST indicate this by setting the isSiteWide property to true.

If domain is supplied and not empty then it is treated in the same way as the domain parameter to cookies and allows setting for subdomains. The domain argument can be set to a fully-qualified right-hand segment of the document host name, up to one level below TLD. In the description below the variable Domain would have the value *.domain

For example, www.foo.bar.example.com can set the domain parameter as as "bar.example.com" or "example.com", but not to "something.else.example.com" or "com".

If domain is not specified or is null or empty then the request would be processed as if it had been set to the script domain. In the description below the variable Domain would have the value script domain

If isWebWide is not true and the exception is stored for an explicit list, then the set of duplets (one per target domain):

[Domain, target domain]

is added to the database of remembered grants.

If isWebWide is not true and the exception is stored for a site-wide exception, then the duplet:

[Domain, * ]

is added to the database of remembered grants.

If isWebWide is not true and the exception is stored for an explicit list, then the set of duplets (one per target domain):

[Domain, target domain]

is added to the database of remembered grants.

If isWebWide is true then this request is for a Web-Wide Exception and the duplet:

[*, Domain]

is added to the database of remembered grants.

If expires is supplied and not null or empty the remembered grant will be cancelled (i.e. processed as if the relevant Cancel API had been called) no later than the specified date and time.

If maxAge is supplied and not null, empty or negative the remembered grant will be cancelled (i.e. processed as if the relevant Cancel API had been called) no later than the specified number of seconds following the grant.

If both maxAge and expires are supplied, maxAge has precedence. If neither maxAge or expires are supplied, the user agent MAY retain the remembered grant until it is cancelled.

If the effective script origin would not be able to set a cookie on the domain following the cookie domain rules [[!RFC6265]] (e.g. domain is not a right-hand match or is a TLD) then the duplet MUST NOT be entered into the database and the returned Promise MUST be rejected with a DOMException.SECURITY_ERR.

Any other failuure, such as an incorrectly formatted parameter in the StoreExceptionPropertyBag, will result in no duplet being added to the data base of remebered grants, and the returned Promise being rejected with a DOMException.SYNTAX_ERR.

A particular response to the API — like a DNT response header field — is only valid immediately; a user might later choose to edit stored exceptions and revoke some or all of them.

API to Cancel a Tracking Exception

Navigator.removeTrackingException is called by a page to cancel a site-specific or web-wide tracking exception. The RemoveExceptionPropertyBag dictionary contains information to identify the exception.

        partial interface Navigator {
          Promise<void> removeTrackingException (
            RemoveExceptionPropertyBag properties
          );
        };

        dictionary RemoveExceptionPropertyBag {
           DOMString? domain;
           boolean? isWebWide;
        };

        

Navigator.removeTrackingException passes a RemoveExceptionPropertyBag that can contain the following properties:

isWebWide
A boolean specifying whether a web-wide or a site-specific exception should be removed. If isWebWide is empty, false or null this call refers to a site-specific exception
domain
a cookie-domain as defined in [[!RFC6265]], to which the exception applies.

If domain is supplied and not empty then it is treated in the same way as the domain parameter to cookies and allows setting for subdomains. The domain argument can be set to a fully-qualified right-hand segment of the document host name, up to one level below TLD. In the description below the variable Domain would have the value *.domain

If domain is not specified or is null or empty then the request would be processed as if it had been set to the script domain. In the description below the variable Domain would have the value script domain

The return value is a Promise which either resolves to a void result, or is rejected with a DOMException.

Any processing failure, such as an incorrectly formatted parameter in the RemoveExceptionPropertyBag, will result in no duplet being removed from the data base of remebered grants, and the returned Promise being rejected with a DOMException.SYNTAX_ERR.

When the Promise has been resolved, it is assumed that there are no exceptions of the specified type for the given Domain, and the database of grants no longer contains the indicated grant(s);

If there are no matching duplets in the database of remembered grants when the method is called then this operation does nothing, other than resolving the Promise.

API to Confirm a Tracking Exception

Navigator.confirmTrackingException is called by a page to confirm a tracking exception. A ExceptionPropertyBag dictionary contains information to identify the exception. It returns a Promise which either resolves to an ExceptionResult result, or is rejected with a DOMException identifying the reason for the failure.

        partial interface Navigator {
          Promise<ExceptionResult> confirmSiteSpecificTrackingException (
            ConfirmExceptionPropertyBag properties
          );
        };

        dictionary ConfirmExceptionPropertyBag {
           DOMString? domain;
           boolean? isWebWide;
           sequence<DOMString>? arrayOfDomainStrings;
        };

        

Navigator.confirmSiteSpecificTrackingException passes a ConfirmExceptionPropertyBag that can contain the following properties:

isWebWide
A boolean specifying whether a web-wide or a site-specific exception should be confirmed If isWebWide is empty, false or null this call refers to a site-specific exception
domain
a cookie-domain as defined in [[!RFC6265]], to which the exception applies.
arrayOfDomainStrings
A JavaScript array of strings.

If isWebWide is not true and the call does not include the arrayOfDomainStrings, then this call is to confirm a site-wide exception. Otherwise each string in arrayOfDomainStrings specifies a target domain.

If isWebWide is not true, the list arrayOfDomainStrings is supplied, and the user agent stores only site-wide exceptions, then the user agent MUST match by confirming a site-wide exception.

If domain is supplied and not empty then it is treated in the same way as the domain parameter to cookies and allows setting for subdomains. The domain argument can be set to a fully-qualified right-hand segment of the document host name, up to one level below TLD. In the description below the variable Domain would have the value *.domain

If domain is not specified or is null or empty then the request would be processed as if it had been set to the script domain. In the description below the variable Domain would have the value script domain

If isWebWide is true then any arrayOfDomainStrings is ignored, and the user agent MUST match by confirming a web-wide exception, i.e. the database is checked for the duplet:

[*,Domain]

If the user agent stores explicit lists, isWebWide is not true and the call includes an arrayOfDomainStrings, the database is checked for the existence of all the duplets (one per target):

[Domain, target domain]

If isWebWide is not true, the user agent stores only site-wide exceptions or the call did not include an explicit list, the database is checked for the single duplet:

[Domain, * ]

If isWebWide is not true, the user agent stores explicit lists and the call includes one, then the database is checked for the existence of all the duplets (one per target):

[Domain, target domain]

Any processing failure, such as an incorrectly formatted parameter in the ConfirmExceptionPropertyBag, will result in no duplet being removed from the data base of remebered grants, and the returned Promise being rejected with a DOMException.SYNTAX_ERR.

Otherwise the returned Promise resolves to a ExceptionResult object which MUST contain a boolean property exists with the following possible values:

  • true all the duplets exist in the database;
  • false one or more of the duplets does not exist in the database.

Exceptions without Interactive JavaScript

Some third party servers that might wish to receive a user-granted exception do not have the ability to invoke an interactive JavaScript presence on a page (for example, those that provide only images or "tracking pixels"). They cannot request an exception under these circumstances because a script is needed to make the API call and it requires interaction to ensure the user is informed and to receive an indication of their consent. In general, this process of informing, getting consent, and calling the API is not expected within page elements where such trackers are invoked.

To obtain an exception, a document (page, frame, etc.) that loads the JavaScript is needed. The user might visit the site that desires an exception directly, or the first party might provide a separate page that could load script-enabled frames in which each third party could ask for an exception (allowing for aggregation of requests).

In all these ways, the site is contributing to informing the user and obtaining their consent, while enabling a call to the Javascript API when such consent is granted.

Exceptions without an Expressed Preference

Sites might wish to request exceptions even when a user arrives without a DNT header field. Users might wish to grant permission for tracking on or by certain sites even without expressing a general tracking preference.

User agents MAY instantiate Navigator.storeSiteSpecificTrackingException even when Navigator.doNotTrack is null. Scripts SHOULD test for the existence of storeSiteSpecificTrackingException before calling the method. If an exception is granted and the user agent stores that preference, a user agent might send the DNT:0 tracking preference even if it has not enabled preferences to be sent for other requests. Persisted exceptions MAY affect which preference is transmitted if a user later chooses to configure a general tracking preference.

Exception Use by Sites

This section is to inform the authors of sites on some considerations in using the user-granted exceptions APIs to best effect; sites of particular interest here are those that need an exception in order to allow the user to perform some operation or to have some access.

The 'Store' calls return immediately, without a return value. If there is a problem with the calling parameters, then a Javascript exception will be thrown.

A user agent might not store the exception immediately, possibly because it is allowing the user to confirm. Even though the site has acquired the user's informed consent before calling the 'Store' API, it is possible that the user will change their mind, allow the storing of an exception to proceed but later remove it, or perhaps deny the storage by prior configuration.

Nonetheless, at the time of the call, the site has acquired the user's consent and can proceed on that basis, whether or not the user-agent has stored the exception immediately. It is not necessary to call the confirm API at the time of consent.

On other visits, a site can call the 'Confirm' APIs to enquire whether a specific exception has been granted and stands in the user agent. This is the call to make to determine whether the exception exists, and hence to control access to the function or operation; if it fails (the exception has been deleted or not yet granted), then the user is ideally again offered the information needed to give their informed consent, and again offered the opportunity to indicate that they grant it. As stated in the normative text, the site needs to explain and acquire consent immediately prior to calling the Store API, and not remember some past consent; this allows a user to change their mind.

If they do grant it (using some positive interaction such as a button), the site can return to checking the 'Confirm' API.

In this way the site:

Security Considerations

TBD.

Privacy Considerations

Fingerprinting

User-granted exceptions introduce a privacy risk. By storing client-side configurable state and providing functionality to learn about it later, the user-granted exceptions API might facilitate user fingerprinting and tracking. User agent developers ought to consider the possibility of fingerprinting during implementation and might consider rate-limiting requests or using other heuristics to mitigate fingerprinting risk.

Acknowledgements

This specification consists of input from many discussions within and around the W3C Tracking Protection Working Group, along with written contributions from Adrian Bateman (Microsoft), Justin Brookman (CDT), Nick Doty (W3C/MIT), Marcos Caceres (Mozilla), Rob van Eijk (Invited Expert), Roy T. Fielding (Adobe), Vinay Goel (Adobe), Tom Lowenthal (Mozilla), Jonathan Mayer (Stanford), Aleecia M. McDonald (Stanford), Mike O'Neill (Baycloud Systems), Matthias Schunter (Intel), John Simpson (Consumer Watchdog), David Singer (Apple), Rigo Wenning (W3C/ERCIM), Shane Wiley (Yahoo!), and Andy Zeigler (Microsoft).

The DNT header field is based on the original Do Not Track submission by Jonathan Mayer (Stanford), Arvind Narayanan (Stanford), and Sid Stamm (Mozilla). The JavaScript DOM property for doNotTrack is based on the Web Tracking Protection submission by Andy Zeigler, Adrian Bateman, and Eliot Graff (Microsoft). Many thanks to Robin Berjon for ReSpec.js.

Registrations

The Internet media type application/tracking-status+json is used for tracking status representations ().

Type name:
application
Subtype name:
tracking-status+json
Required parameters:
N/A
Optional parameters:
N/A
Encoding considerations:
binary
Security considerations:
See JSON [RFC7159], Section 12.
Interoperability considerations:
N/A
Published specification:
Tracking Preference Expression (DNT), .
https://www.w3.org/TR/tracking-dnt/
Applications that use this media type:
N/A
Fragment identifier considerations:
N/A
Additional information:
Deprecated alias names for this type: N/A
Magic number(s): N/A
File extension(s): N/A
Macintosh file type code(s): N/A
Person & email address to contact for further information:
W3C Tracking Protection Working Group <public-tracking@w3.org>
Intended usage:
COMMON
Restrictions on usage:
N/A
Author(s):
Roy T. Fielding and David Singer
Change controller:
W3C