fielding at gbiv
Sep 13, 2012, 1:28 PM
Post #11 of 12
On Sep 13, 2012, at 4:48 AM, Eric Covener wrote:
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)
[In reply to]
> On Sat, Aug 11, 2012 at 3:51 AM, <fielding [at] apache> wrote:
>> Author: fielding
>> Date: Sat Aug 11 07:51:52 2012
>> New Revision: 1371878
>> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev
>> Apache does not tolerate deliberate abuse of open standards
> I've come around on this one over time. While I appreciate the
> message/intent, I don't think this is reasonable for the default
> configuration because it errs on the side of ditching a privacy header
> and information loss for a (sensitive) header that we're not yet
For those of you who haven't been following along, I'll include some
links at the bottom for background. DNT is not a privacy header.
There is no magic pixy dust that sprinkles privacy bits on anyone
that receives it. DNT is supposed to be an expression of user
preference so that recipients will respect that user's desires.
It really is a question of deployment. Right now, nobody can comply
with DNT on the server because none of the response mechanisms have
been approved yet and the meaning of DNT is not agreed. There are
a few sites that had been recognizing DNT as equivalent to their
prior cookie-based opt-out, but most of those have since removed
support of DNT (either for all UAs or only for IE 10.0) because
of the default issue.
OTOH, if we were to attempt an implementation of DNT, then we could
address it directly with the user instead of dropping the header
field. Unfortunately, the WG has not yet agreed on a mechanism for a
server to indicate that it "supports DNT in general, but for your
specific user agent we need to ask again to confirm that it was
by choice". There is also a general problem that, because compliance
means long-term data controls and access restrictions are promised
by the service owner, we can't respond as DNT compliant even if we
have complied within our own server software.
> IMO it's enough even without this specific DNT text:
> "An HTTP intermediary must not add, delete, or modify the DNT header
> field in requests forwarded through that intermediary unless that
> intermediary has been specifically installed or configured to do so by
> the user making the requests. For example, an Internet Service
> Provider must not inject DNT: 1 on behalf of all of their users who
> have not selected a choice."
Yes (I wrote that part too), but keep in mind that we don't comply
with DNT yet, nor are we likely to until the access log issues
are resolved. I agree that we cannot have the config remain if
we intend to comply with the standard, but that simply doesn't
matter if IE 10.0 destroys DNT before we can even get there.
> I'd like to revert it, but this is not yet a veto. I'd like to hear
> what others think and would appreciate an ACK from Roy/Greg/Jim who
> voted for the backport to avoid any churn.
Strictly speaking, I don't think it is possible to veto a change made
in a prior release, but I think this one should be reverted (or at least
modified) if any of our PMC members feel so strongly now that they
would have vetoed it last month. Consensus is important here.
Given the pathetic way that the Tracking Protection working group
members have addressed this issue, both for and against the behavior
of IE 10.0, I have lost any energy I once had for defending Mozilla's
original definition. It was the only issue of substance that the WG
had managed to record consensus, in over a year of deliberation.
I would prefer that the WG change the text, one way or the other,
before we make another change, but I also want anything we do to be
based on what we think is right, not what others think or fail to do.
Regardless, I am +0 to revert, for none of the above reasons.
I am not fond of the performance hit of checking for a browser
version and setting an environment variable, just to support a
standard that is not being backed by the standards group.
I'd rather focus on new standards that aren't being manipulated
by EC/DC politics and the trolls that they feed. I would, however,
like to leave the three browsermatch lines in the config
(commented out) as an example.
With regard to open letters, I'm done with that after our experience
with Sun. If I had thought there was any chance of a letter working,
it would have been the first action proposed. I am not opposed to
the idea of sending official feedback through our friends at Microsoft,
but please understand that it won't be effective unless we can make
it in their own interest to stop abusing the standard.
Apache's original mission is still important to me, even if the
rest of the world has forgotten.
The following links may help with background.