Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev

DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)

 

 

Apache dev RSS feed   Index | Next | Previous | View Threaded


covener at gmail

Sep 13, 2012, 4:48 AM

Post #1 of 12 (3359 views)
Permalink
DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in)

On Sat, Aug 11, 2012 at 3:51 AM, <fielding [at] apache> wrote:
> Author: fielding
> Date: Sat Aug 11 07:51:52 2012
> New Revision: 1371878
>
> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev
> Log:
> Apache does not tolerate deliberate abuse of open standards

I've come around on this one over time. While I appreciate the
message/intent, I don't think this is reasonable for the default
configuration because it errs on the side of ditching a privacy header
and information loss for a (sensitive) header that we're not yet
interpreting. IMO it's enough even without this specific DNT text:

"An HTTP intermediary must not add, delete, or modify the DNT header
field in requests forwarded through that intermediary unless that
intermediary has been specifically installed or configured to do so by
the user making the requests. For example, an Internet Service
Provider must not inject DNT: 1 on behalf of all of their users who
have not selected a choice."

I'd like to revert it, but this is not yet a veto. I'd like to hear
what others think and would appreciate an ACK from Roy/Greg/Jim who
voted for the backport to avoid any churn.


trawick at gmail

Sep 13, 2012, 6:27 AM

Post #2 of 12 (3257 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On Thu, Sep 13, 2012 at 7:48 AM, Eric Covener <covener [at] gmail> wrote:
> On Sat, Aug 11, 2012 at 3:51 AM, <fielding [at] apache> wrote:
>> Author: fielding
>> Date: Sat Aug 11 07:51:52 2012
>> New Revision: 1371878
>>
>> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev
>> Log:
>> Apache does not tolerate deliberate abuse of open standards
>
> I've come around on this one over time. While I appreciate the
> message/intent, I don't think this is reasonable for the default
> configuration because it errs on the side of ditching a privacy header
> and information loss for a (sensitive) header that we're not yet
> interpreting. IMO it's enough even without this specific DNT text:
>
> "An HTTP intermediary must not add, delete, or modify the DNT header
> field in requests forwarded through that intermediary unless that
> intermediary has been specifically installed or configured to do so by
> the user making the requests. For example, an Internet Service
> Provider must not inject DNT: 1 on behalf of all of their users who
> have not selected a choice."
>
> I'd like to revert it, but this is not yet a veto. I'd like to hear
> what others think and would appreciate an ACK from Roy/Greg/Jim who
> voted for the backport to avoid any churn.

I agree that it should be reverted. I don't think it is technically
justifiable for the default conf to remove it for IE 10. I don't
think any particular web server deployment that has the general
intention of respecting DNT should unset it for IE 10.

If the will exists within the group, an open letter to Microsoft could
be posted on httpd.apache.org regarding IE 10 flouting the user choice
intent of the DNT specification.


rumble at cord

Sep 13, 2012, 7:25 AM

Post #3 of 12 (3256 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On 09/13/2012 03:27 PM, Jeff Trawick wrote:
> On Thu, Sep 13, 2012 at 7:48 AM, Eric Covener <covener [at] gmail> wrote:
>> On Sat, Aug 11, 2012 at 3:51 AM, <fielding [at] apache> wrote:
>>> Author: fielding
>>> Date: Sat Aug 11 07:51:52 2012
>>> New Revision: 1371878
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev
>>> Log:
>>> Apache does not tolerate deliberate abuse of open standards
>>
>> I've come around on this one over time. While I appreciate the
>> message/intent, I don't think this is reasonable for the default
>> configuration because it errs on the side of ditching a privacy header
>> and information loss for a (sensitive) header that we're not yet
>> interpreting. IMO it's enough even without this specific DNT text:
>>
>> "An HTTP intermediary must not add, delete, or modify the DNT header
>> field in requests forwarded through that intermediary unless that
>> intermediary has been specifically installed or configured to do so by
>> the user making the requests. For example, an Internet Service
>> Provider must not inject DNT: 1 on behalf of all of their users who
>> have not selected a choice."
>>
>> I'd like to revert it, but this is not yet a veto. I'd like to hear
>> what others think and would appreciate an ACK from Roy/Greg/Jim who
>> voted for the backport to avoid any churn.
>
> I agree that it should be reverted. I don't think it is technically
> justifiable for the default conf to remove it for IE 10. I don't
> think any particular web server deployment that has the general
> intention of respecting DNT should unset it for IE 10.
>
> If the will exists within the group, an open letter to Microsoft could
> be posted on httpd.apache.org regarding IE 10 flouting the user choice
> intent of the DNT specification.
>
I to agree that it should be reverted, if nothing else, then at least
for the time being, till this has been thoroughly discussed.

Technically speaking, as httpd may be used as an intermediary (more
specifially, a proxy/reverse proxy), it is difficult to justify forcing
backends to take into account that we are altering the DNT, as Eric
pointed out in the RFC quote. As I understand it, the patch would apply
to both httpd itself and any backend that it proxies to, who may or may
not be of the same opinion about whether the DNT standard has been
broken by IE. Furthermore, as we ourselves do not support or use this
DNT header ourselves, there is the question of what the patch actually
achieves for httpd.

What Microsoft has done is, to say the least, disappointing from a
technical aspect, as it muddies the waters, and I think Jeff's thoughts
about an open letter would be a very good idea, but it is hard for me to
technically justify editing the DNT header from within httpd, thus also
denying DNT for those who explicitly want it on. The error, as I see it,
lies with Microsoft, and in the end, it should be Microsoft that fixes
it, not httpd that has to make a workaround.

With regards,
Daniel.


ben at links

Sep 13, 2012, 7:28 AM

Post #4 of 12 (3253 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On Thu, Sep 13, 2012 at 12:48 PM, Eric Covener <covener [at] gmail> wrote:
> On Sat, Aug 11, 2012 at 3:51 AM, <fielding [at] apache> wrote:
>> Author: fielding
>> Date: Sat Aug 11 07:51:52 2012
>> New Revision: 1371878
>>
>> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev
>> Log:
>> Apache does not tolerate deliberate abuse of open standards
>
> I've come around on this one over time. While I appreciate the
> message/intent, I don't think this is reasonable for the default
> configuration because it errs on the side of ditching a privacy header
> and information loss for a (sensitive) header that we're not yet
> interpreting. IMO it's enough even without this specific DNT text:
>
> "An HTTP intermediary must not add, delete, or modify the DNT header
> field in requests forwarded through that intermediary unless that
> intermediary has been specifically installed or configured to do so by
> the user making the requests. For example, an Internet Service
> Provider must not inject DNT: 1 on behalf of all of their users who
> have not selected a choice."

What about _this_ specific DNT text:

"The goal of this protocol is to allow a user to express their
personal preference regarding tracking to each server and web
application that they communicate with via HTTP, thereby allowing each
service to either adjust their behavior to meet the user's
expectations or reach a separate agreement with the user to satisfy
all parties.

Key to that notion of expression is that it MUST reflect the user's
preference, not the preference of some institutional or
network-imposed mechanism outside the user's control."

The header being removed does not conform to this requirement.

>
> I'd like to revert it, but this is not yet a veto. I'd like to hear
> what others think and would appreciate an ACK from Roy/Greg/Jim who
> voted for the backport to avoid any churn.


jim at jaguNET

Sep 13, 2012, 9:31 AM

Post #5 of 12 (3249 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

I think we are all in agreement, however, that MS is
violating the standard... are we not?

With that as a given, do we Do Nothing? I don't think so;
We shouldn't, by action or inaction, permit violations. Now,
with that as a given, the question is How Do We Respond.

At the very least, the commit sparked some interest and
involvement, even if much of it was worthless and clueless.
I like the idea of using that as a "door-opener" for an
Open Letter. Ideally, in that letter we explain the problem
and the rationale for the commit, we also explain how
to *remove* the "offending" commit (even though it's pretty
ez of course) and that we are keeping the commit in place
until such time as MS changes course, but we are aware that
it could affect adversely affect "innocent" users and so
we want to make sure that they have all the info they need
to remove it.

The idea is to restore the transparency... If we had made a
more public "splash" about this, maybe it wouldn't have created
such a storm of uncluefull backlash; it's the idea that we
did something "sneaky", I think, is what some people find
(understandably) upsetting.


gstein at gmail

Sep 13, 2012, 10:24 AM

Post #6 of 12 (3247 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On Sep 13, 2012 7:48 AM, "Eric Covener" <covener [at] gmail> wrote:
>
> On Sat, Aug 11, 2012 at 3:51 AM, <fielding [at] apache> wrote:
> > Author: fielding
> > Date: Sat Aug 11 07:51:52 2012
> > New Revision: 1371878
> >
> > URL: http://svn.apache.org/viewvc?rev=1371878&view=rev
> > Log:
> > Apache does not tolerate deliberate abuse of open standards
>
> I've come around on this one over time. While I appreciate the
> message/intent, I don't think this is reasonable for the default
> configuration because it errs on the side of ditching a privacy header
> and information loss for a (sensitive) header that we're not yet
> interpreting. IMO it's enough even without this specific DNT text:
>
> "An HTTP intermediary must not add, delete, or modify the DNT header
> field in requests forwarded through that intermediary unless that
> intermediary has been specifically installed or configured to do so by
> the user making the requests. For example, an Internet Service
> Provider must not inject DNT: 1 on behalf of all of their users who
> have not selected a choice."
>
> I'd like to revert it, but this is not yet a veto. I'd like to hear
> what others think and would appreciate an ACK from Roy/Greg/Jim who
> voted for the backport to avoid any churn.

Microsoft is putting their users at risk, not us. I believe the change
should remain.


trawick at gmail

Sep 13, 2012, 10:24 AM

Post #7 of 12 (3244 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On Thu, Sep 13, 2012 at 12:31 PM, Jim Jagielski <jim [at] jagunet> wrote:
> I think we are all in agreement, however, that MS is
> violating the standard... are we not?
>
> With that as a given, do we Do Nothing? I don't think so;
> We shouldn't, by action or inaction, permit violations. Now,
> with that as a given, the question is How Do We Respond.
>
> At the very least, the commit sparked some interest and
> involvement, even if much of it was worthless and clueless.
> I like the idea of using that as a "door-opener" for an
> Open Letter. Ideally, in that letter we explain the problem
> and the rationale for the commit, we also explain how
> to *remove* the "offending" commit (even though it's pretty
> ez of course) and that we are keeping the commit in place
> until such time as MS changes course, but we are aware that
> it could affect adversely affect "innocent" users and so
> we want to make sure that they have all the info they need
> to remove it.
>
> The idea is to restore the transparency... If we had made a
> more public "splash" about this, maybe it wouldn't have created
> such a storm of uncluefull backlash; it's the idea that we
> did something "sneaky", I think, is what some people find
> (understandably) upsetting.

I don't think it is a transparency issue so much as a poor choice of
venues for airing the disagreement. We've put something in the .conf
file that many administrators will need to remove and almost none will
have a need to keep. The message to Microsoft, such as it is, suffers
because of that.

--
Born in Roswell... married an alien...
http://emptyhammock.com/


isoma at jellybaby

Sep 13, 2012, 10:33 AM

Post #8 of 12 (3250 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On 13 Sep 2012, at 18:24, Jeff Trawick <trawick [at] gmail> wrote:

> I don't think it is a transparency issue so much as a poor choice of
> venues for airing the disagreement. We've put something in the .conf
> file that many administrators will need to remove and almost none will
> have a need to keep. The message to Microsoft, such as it is, suffers
> because of that.

s/administrators/packagers/ ?

--
Tim Bannister isoma [at] jellybaby
Attachments: smime.p7s (4.29 KB)


jim at jaguNET

Sep 13, 2012, 10:59 AM

Post #9 of 12 (3241 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On Sep 13, 2012, at 1:24 PM, Jeff Trawick <trawick [at] gmail> wrote:

> On Thu, Sep 13, 2012 at 12:31 PM, Jim Jagielski <jim [at] jagunet> wrote:
>> I think we are all in agreement, however, that MS is
>> violating the standard... are we not?
>>
>> With that as a given, do we Do Nothing? I don't think so;
>> We shouldn't, by action or inaction, permit violations. Now,
>> with that as a given, the question is How Do We Respond.
>>
>> At the very least, the commit sparked some interest and
>> involvement, even if much of it was worthless and clueless.
>> I like the idea of using that as a "door-opener" for an
>> Open Letter. Ideally, in that letter we explain the problem
>> and the rationale for the commit, we also explain how
>> to *remove* the "offending" commit (even though it's pretty
>> ez of course) and that we are keeping the commit in place
>> until such time as MS changes course, but we are aware that
>> it could affect adversely affect "innocent" users and so
>> we want to make sure that they have all the info they need
>> to remove it.
>>
>> The idea is to restore the transparency... If we had made a
>> more public "splash" about this, maybe it wouldn't have created
>> such a storm of uncluefull backlash; it's the idea that we
>> did something "sneaky", I think, is what some people find
>> (understandably) upsetting.
>
> I don't think it is a transparency issue so much as a poor choice of
> venues for airing the disagreement. We've put something in the .conf
> file that many administrators will need to remove and almost none will
> have a need to keep. The message to Microsoft, such as it is, suffers
> because of that.
>

I agree.


trawick at gmail

Sep 13, 2012, 11:32 AM

Post #10 of 12 (3246 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On Thu, Sep 13, 2012 at 1:33 PM, Tim Bannister <isoma [at] jellybaby> wrote:
> On 13 Sep 2012, at 18:24, Jeff Trawick <trawick [at] gmail> wrote:
>
>> I don't think it is a transparency issue so much as a poor choice of
>> venues for airing the disagreement. We've put something in the .conf
>> file that many administrators will need to remove and almost none will
>> have a need to keep. The message to Microsoft, such as it is, suffers
>> because of that.
>
> s/administrators/packagers/ ?

No packager is going to ship those lines. (IOW, the whole
conversation is about the tiny subset of sites that start with the
httpd.apache.org 2.4 default .conf and actually use DNT...)

>
> --
> Tim Bannister isoma [at] jellybaby
>



--
Born in Roswell... married an alien...
http://emptyhammock.com/


fielding at gbiv

Sep 13, 2012, 1:28 PM

Post #11 of 12 (3283 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On Sep 13, 2012, at 4:48 AM, Eric Covener wrote:

> On Sat, Aug 11, 2012 at 3:51 AM, <fielding [at] apache> wrote:
>> Author: fielding
>> Date: Sat Aug 11 07:51:52 2012
>> New Revision: 1371878
>>
>> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev
>> Log:
>> Apache does not tolerate deliberate abuse of open standards
>
> I've come around on this one over time. While I appreciate the
> message/intent, I don't think this is reasonable for the default
> configuration because it errs on the side of ditching a privacy header
> and information loss for a (sensitive) header that we're not yet
> interpreting.

For those of you who haven't been following along, I'll include some
links at the bottom for background. DNT is not a privacy header.
There is no magic pixy dust that sprinkles privacy bits on anyone
that receives it. DNT is supposed to be an expression of user
preference so that recipients will respect that user's desires.

It really is a question of deployment. Right now, nobody can comply
with DNT on the server because none of the response mechanisms have
been approved yet and the meaning of DNT is not agreed. There are
a few sites that had been recognizing DNT as equivalent to their
prior cookie-based opt-out, but most of those have since removed
support of DNT (either for all UAs or only for IE 10.0) because
of the default issue.

OTOH, if we were to attempt an implementation of DNT, then we could
address it directly with the user instead of dropping the header
field. Unfortunately, the WG has not yet agreed on a mechanism for a
server to indicate that it "supports DNT in general, but for your
specific user agent we need to ask again to confirm that it was
by choice". There is also a general problem that, because compliance
means long-term data controls and access restrictions are promised
by the service owner, we can't respond as DNT compliant even if we
have complied within our own server software.

> IMO it's enough even without this specific DNT text:
>
> "An HTTP intermediary must not add, delete, or modify the DNT header
> field in requests forwarded through that intermediary unless that
> intermediary has been specifically installed or configured to do so by
> the user making the requests. For example, an Internet Service
> Provider must not inject DNT: 1 on behalf of all of their users who
> have not selected a choice."

Yes (I wrote that part too), but keep in mind that we don't comply
with DNT yet, nor are we likely to until the access log issues
are resolved. I agree that we cannot have the config remain if
we intend to comply with the standard, but that simply doesn't
matter if IE 10.0 destroys DNT before we can even get there.

> I'd like to revert it, but this is not yet a veto. I'd like to hear
> what others think and would appreciate an ACK from Roy/Greg/Jim who
> voted for the backport to avoid any churn.

Strictly speaking, I don't think it is possible to veto a change made
in a prior release, but I think this one should be reverted (or at least
modified) if any of our PMC members feel so strongly now that they
would have vetoed it last month. Consensus is important here.

Given the pathetic way that the Tracking Protection working group
members have addressed this issue, both for and against the behavior
of IE 10.0, I have lost any energy I once had for defending Mozilla's
original definition. It was the only issue of substance that the WG
had managed to record consensus, in over a year of deliberation.
I would prefer that the WG change the text, one way or the other,
before we make another change, but I also want anything we do to be
based on what we think is right, not what others think or fail to do.

Regardless, I am +0 to revert, for none of the above reasons.
I am not fond of the performance hit of checking for a browser
version and setting an environment variable, just to support a
standard that is not being backed by the standards group.
I'd rather focus on new standards that aren't being manipulated
by EC/DC politics and the trolls that they feed. I would, however,
like to leave the three browsermatch lines in the config
(commented out) as an example.

With regard to open letters, I'm done with that after our experience
with Sun. If I had thought there was any chance of a letter working,
it would have been the first action proposed. I am not opposed to
the idea of sending official feedback through our friends at Microsoft,
but please understand that it won't be effective unless we can make
it in their own interest to stop abusing the standard.

Apache's original mission is still important to me, even if the
rest of the world has forgotten.

http://oreilly.com/catalog/opensources/book/brian.html

....Roy

The following links may help with background.

http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#determining

http://blogs.technet.com/b/microsoft_on_the_issues/archive/2012/08/07/do-not-track-in-the-windows-8-set-up-experience.aspx

http://www.computerworld.com/s/article/9230362/Windows_8_setup_shows_Do_Not_Track_options

http://lists.w3.org/Archives/Public/public-tracking/2012Aug/0076.html

http://lists.w3.org/Archives/Public/public-tracking/2012Sep/0165.html


jim at jaguNET

Sep 14, 2012, 5:55 AM

Post #12 of 12 (3247 views)
Permalink
Re: DNT & IE10 (was svn commit: r1371878 - /httpd/httpd/trunk/docs/conf/httpd.conf.in) [In reply to]

On Sep 13, 2012, at 4:28 PM, Roy T. Fielding <fielding [at] gbiv> wrote:

>
> Regardless, I am +0 to revert, for none of the above reasons.
> I am not fond of the performance hit of checking for a browser
> version and setting an environment variable, just to support a
> standard that is not being backed by the standards group.
> I'd rather focus on new standards that aren't being manipulated
> by EC/DC politics and the trolls that they feed. I would, however,
> like to leave the three browsermatch lines in the config
> (commented out) as an example.
>

+1

> With regard to open letters, I'm done with that after our experience
> with Sun. If I had thought there was any chance of a letter working,
> it would have been the first action proposed. I am not opposed to
> the idea of sending official feedback through our friends at Microsoft,
> but please understand that it won't be effective unless we can make
> it in their own interest to stop abusing the standard.
>

I doubt that an open letter would/will change anything, but it's
open for a reason: so that the larger community, and not just MS
(or whoever it is directed to) is aware of our position and the
rationale behind it. It's to garner support for our POV and, as
such, I still think it's worthwhile, esp if we do adjust the
config file to comment them out.

> Apache's original mission is still important to me, even if the
> rest of the world has forgotten.
>

I think it's also important to the PMC and the developers as well.

Apache dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.