[tor-bugs] #5501 [TorBrowserButton]: enable Do-Not-Track DNT by default
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sat Apr 21 20:35:17 UTC 2012
#5501: enable Do-Not-Track DNT by default
------------------------------+---------------------------------------------
Reporter: cypherpunks | Owner: mikeperry
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: TorBrowserButton | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------------+---------------------------------------------
Comment(by pde):
It's important to understand that if we're talking about legal
consequences, we're dealing with legal reasoning rather than technical
reasoning. The first thing to understand about legal reasoning is that
''isn't'' consistent in a logical sense. It can have all sorts of fuzzy
and contradictory aspects to it, and these tend to be resolved in a way
that makes sense to judges (who are usually not technically
sophisticated), if they are ever resolved at all.
Replying to [comment:20 rransom]:
> With IFRAME, every website can be turned into a third party. And almost
every non-trivial web application (including Trac) sets cookies in order
to prevent CSRF attacks.
(Aside: I'm a bit confused about how a cookie can prevent a CSRF attack.
Surely CSRF tokens need to be something that an attacker can't cause the
victim's browser to send, such as internal DOM state, or a fragment or
query parameter. But let me answer as though cookies were necessary for
CSRF protection)
The W3C spec is not finished yet, but the proposals all deal with the
above by saying something like: "a website is a third party for a given
request if it can infer with high probability that it is a third party".
So things that are designed or promoted for embedding are third parties;
stuff that someone else randomly hotlinks or <iframe>s is not.
The proposals also have exceptions for widgets and other third party
things that the user knowingly chooses to interact with. So if someone
builds a "distributed web bug tracker" that is embeddable in a lot of
sites, if a user chooses to turn that on/logs in/etc, it's okay for it to
set cookies and track that user across sites.
And before anyone asks, the aim with sites like Facebook/Twitter/etc that
function as both first and third parties is to make sure that
consent/choice to interact for the third-party aspect of the site is
preserved, even if you're logged into it as a first party. One
consequence is that this handful of giant hybrid first/third parties
should migrate to different domains for their first and third party stuff.
Which most of them have already done, for exactly this sort of reason.
> DNT laws and regulations are likely to be as destructive as SOPA, if not
worse. I oppose them strongly, and I hope that EFF will recognize the
danger that DNT poses to a free and open Internet and stop supporting DNT
legislation.
We aren't sure whether legislation is the right way to get DNT implemented
(there are really a lot of ways it might happen), and at the moment no DNT
legislation is remotely close to passing. If that ever changes, we'll
look extremely closely at whatever bill, and work with the community, to
make sure that it doesn't have unintended technical consequences. And if
we feared it might, we would not support it.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5501#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list