search

privacycg / gpc-spec

Global Privacy Control Specification
https://privacycg.github.io/gpc-spec/
Other
105 stars 19 forks source link

Ensure consistency between HTTP and JavaScript #49

Closed arichiv closed 1 year ago

arichiv commented 1 year ago

As written, the current spec implies that:

This is inconsistent, and seems like it will lead to weird edge cases if the preference is changed mid-load. I propose that we adopt the approach of JavaScript for HTTP so both return the preference cached at the time of the last top-level navigation.

I'm have a draft of this in #38

arichiv commented 1 year ago

@SebastianZimmeck (or other person with permission) can you add the agenda+ tag so this is discussed thursday?

SebastianZimmeck commented 1 year ago

It is a good point, @arichiv! It looks like we won't be able to get to it this week. But we will surely do it in one of the next meetings ... (at which point I will put the agenda+ label on).

npdoty commented 1 year ago

Preference changes in the middle of loading a page don't seem common or need well-defined behavior (although I'm curious if any other specs do define that), but changing preferences after a page is loaded will certainly happen (because people keep pages open for long periods of time, and preferences do get changed, not just at startup time).

Perhaps there could be simpler text to say: if the user changes their preference after a page is loaded, UAs could reload the page or reflect the preference (in sub-http requests and the javascript property) only on subsequent page loads.

arichiv commented 1 year ago

It's true this isn't reflected in other specs, including the DNT spec itself: "Ideally, the value of Navigator.doNotTrack ought to reflect the current set of user-granted exceptions in effect when the attribute is read." https://www.w3.org/TR/tracking-dnt/#expressing

I think it's worth requiring locked consistency within a given navigation for all subresources and subframes as that seems the most correct/consistent approach and this spec is still being incubated, but I'd also be fine with unifying HTTP/JavaScript approaches the other direction and always using the 'live' value of the preference if that's what you're saying.

arichiv commented 1 year ago

It's true this isn't reflected in other specs, including the DNT spec itself: "Ideally, the value of Navigator.doNotTrack ought to reflect the current set of user-granted exceptions in effect when the attribute is read." https://www.w3.org/TR/tracking-dnt/#expressing

I think it's worth requiring locked consistency within a given navigation for all subresources and subframes as that seems the most correct/consistent approach and this spec is still being incubated, but I'd also be fine with unifying HTTP/JavaScript approaches the other direction and always using the 'live' value of the preference if that's what you're saying.

AramZS commented 1 year ago

I think this is worthwhile discussing in the CG. @martinthomson let's add this to the agenda.