httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 53845] Remove DNT settings from httpd.conf
Date Sun, 09 Sep 2012 21:54:35 GMT

--- Comment #3 from Roy T. Fielding <> ---
Apache HTTP Server does not yet implement DNT (and makes no claims of
compliance) because: (1) DNT impacts first party services differently than
third party services and we have no way of knowing which one applies; and, (2)
the sections of the specifications regarding server compliance and the tracking
status response are still in flux, particularly in regard to access logs. If we
do implement DNT, the implementation might impact code throughout the whole
server, and the workarounds for broken browsers might then be more subtle than
simply dropping the signal. Browsers have chosen to send DNT already, in spite
of it not having a proper definition and not actually doing anything for users,
because it is easy for them to claim "privacy" while punting the actual work to

Jonathan is incorrect. A dialog box presented to the user with a preselected
option of "on" does not qualify as a default of "unset", nor do the Express
settings of IE10.0 qualify as a preference for privacy (read them and see). The
working group is not a judicial branch -- it will not sit around forever
adjudicating whether a given implementation complies or not, and nobody has
ever claimed that the standard requires servers to ignore invalid signals. 
Apache chose to do so because the signal is meaningless if it is set by
default, and it is harmful to deployment of DNT, to the Web, and to the open
standards process if we allow such deliberate abuse to be propagated

That section of the Tracking Preference Expression has been formally reviewed
by the WG several times to assure that it represents the consensus on ISSUE-4.
It is part of an open standard under development, which means the right way to
change it is to go through the working group process and request a change. If
the working group changes its opinion regarding the "unset" default or how it
might be implemented, then I (or someone faster than me) will submit a patch to
Apache that corresponds to the new consensus opinion of the working group.

Apache has no particular interest in what goes in the DNT open standard -- only
in that the protocol means what the WG says it means when the extra eight bytes
are sent on the wire.  Of course, we'd prefer that the standard specifies
something that we can implement, because we are not going to turn off access
logs just because a potentially evil client asks, but this block will be
removed as soon as the user agent is compliant, whether that is because of IE10
fixing their bug or the WG changing the specification.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message