httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53845] Remove DNT settings from httpd.conf
Date Sun, 09 Sep 2012 04:02:46 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53845

--- Comment #1 from Jonathan Mayer <jmayer@stanford.edu> ---
I'm a member of the W3C Tracking Protection Working Group. Some added
perspective from Do Not Track negotiations may be helpful here. Short version:
SVN commit 1371878 is definitely not required by the nascent W3C privacy
standards, and it will facilitate running afoul of those standards.

The working group has decided that a mainstream browser is not compliant if it
silently enables Do Not Track by default. The beta version of Internet Explorer
10, for example, is noncompliant. The group has *not*, however, decided:

1) An installation/first-run option, like shipping Internet Explorer 10, is
noncompliant. The draft text, in fact, notes this is an acceptable
implementation: "We do not specify how tracking preference choices are offered
to the user or how the preference is enabled: each implementation is
responsible for determining the user experience by which a tracking preference
is enabled. . . . The user-agent might ask the user for their preference during
startup, perhaps on first use or after an update adds the tracking protection
feature."

2) A compliant website may ignore a syntactically valid "DNT: 1" signal from a
noncompliant browser.

Furthermore, even if the W3C Do Not Track standard were to allow
second-guessing "DNT: 1" from particular browsers, it certainly would not
require it. Many websites would assuredly want to honor all "DNT: 1" headers or
ask a user to confirm his or her preferences.

If httpd is configured in an intermediary role (e.g. mod_proxy), this commit
runs into a different compliance issue: intermediaries aren't supposed to
tamper with "DNT" headers. Draft text: "An HTTP intermediary must not add,
delete, or modify the DNT header field in requests forwarded through that
intermediary unless that intermediary has been specifically installed or
configured to do so by the user making the requests."

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message