On Sep 13, 2012, at 4:48 AM, Eric Covener wrote: > On Sat, Aug 11, 2012 at 3:51 AM, <field...@apache.org> wrote: >> Author: fielding >> Date: Sat Aug 11 07:51:52 2012 >> New Revision: 1371878 >> >> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev >> Log: >> Apache does not tolerate deliberate abuse of open standards > > I've come around on this one over time. While I appreciate the > message/intent, I don't think this is reasonable for the default > configuration because it errs on the side of ditching a privacy header > and information loss for a (sensitive) header that we're not yet > interpreting.
For those of you who haven't been following along, I'll include some links at the bottom for background. DNT is not a privacy header. There is no magic pixy dust that sprinkles privacy bits on anyone that receives it. DNT is supposed to be an expression of user preference so that recipients will respect that user's desires. It really is a question of deployment. Right now, nobody can comply with DNT on the server because none of the response mechanisms have been approved yet and the meaning of DNT is not agreed. There are a few sites that had been recognizing DNT as equivalent to their prior cookie-based opt-out, but most of those have since removed support of DNT (either for all UAs or only for IE 10.0) because of the default issue. OTOH, if we were to attempt an implementation of DNT, then we could address it directly with the user instead of dropping the header field. Unfortunately, the WG has not yet agreed on a mechanism for a server to indicate that it "supports DNT in general, but for your specific user agent we need to ask again to confirm that it was by choice". There is also a general problem that, because compliance means long-term data controls and access restrictions are promised by the service owner, we can't respond as DNT compliant even if we have complied within our own server software. > IMO it's enough even without this specific DNT text: > > "An HTTP intermediary must not add, delete, or modify the DNT header > field in requests forwarded through that intermediary unless that > intermediary has been specifically installed or configured to do so by > the user making the requests. For example, an Internet Service > Provider must not inject DNT: 1 on behalf of all of their users who > have not selected a choice." Yes (I wrote that part too), but keep in mind that we don't comply with DNT yet, nor are we likely to until the access log issues are resolved. I agree that we cannot have the config remain if we intend to comply with the standard, but that simply doesn't matter if IE 10.0 destroys DNT before we can even get there. > I'd like to revert it, but this is not yet a veto. I'd like to hear > what others think and would appreciate an ACK from Roy/Greg/Jim who > voted for the backport to avoid any churn. Strictly speaking, I don't think it is possible to veto a change made in a prior release, but I think this one should be reverted (or at least modified) if any of our PMC members feel so strongly now that they would have vetoed it last month. Consensus is important here. Given the pathetic way that the Tracking Protection working group members have addressed this issue, both for and against the behavior of IE 10.0, I have lost any energy I once had for defending Mozilla's original definition. It was the only issue of substance that the WG had managed to record consensus, in over a year of deliberation. I would prefer that the WG change the text, one way or the other, before we make another change, but I also want anything we do to be based on what we think is right, not what others think or fail to do. Regardless, I am +0 to revert, for none of the above reasons. I am not fond of the performance hit of checking for a browser version and setting an environment variable, just to support a standard that is not being backed by the standards group. I'd rather focus on new standards that aren't being manipulated by EC/DC politics and the trolls that they feed. I would, however, like to leave the three browsermatch lines in the config (commented out) as an example. With regard to open letters, I'm done with that after our experience with Sun. If I had thought there was any chance of a letter working, it would have been the first action proposed. I am not opposed to the idea of sending official feedback through our friends at Microsoft, but please understand that it won't be effective unless we can make it in their own interest to stop abusing the standard. Apache's original mission is still important to me, even if the rest of the world has forgotten. http://oreilly.com/catalog/opensources/book/brian.html ....Roy The following links may help with background. http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/do-not-track-in-the-windows-8-set-up-experience.aspx http://www.computerworld.com/s/article/9230362/Windows_8_setup_shows_Do_Not_Track_options http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0076.html http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0165.html