Skip to content

Wire up a way for users to disable particular kinds of reporting. #254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Wire up a way for users to disable particular kinds of reporting. #254

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
99bbbfb
Wire up a way for users to disable particular kinds of reporting.
jyasskin Sep 15, 2022
fdf7f70
Note that disabled reports are a tracking vector.
jyasskin Sep 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 21 additions & 2 deletions index.src.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,17 @@ <h4 id="concept-reports">Reports</h4>
counter, which is a non-negative integer representing the number of times the
user agent attempted to deliver the report.

<h4 id="concept-configuration">User configuration</h4>

Reporting may be <dfn for="reporting">disabled</dfn> for particular [=report
types=], potentially on particular [=origins=]. The specification does not
define how [=/user agents=] determine whether their users prefer to disable
reporting.
Comment on lines +295 to +297
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the bit that I think addresses #168. While it doesn't go as far as @pes10k wants in requiring all UAs to make reporting opt-in, it does allow any UA to do that if it thinks that's what its users want. I think that's likely to be as far as the WG will have consensus to go, although the WG could surprise me.


<p tracking-vector>Changing the default for a [=report type=] across all
origins is a [=tracking vector=] because a site can detect that an expected
report isn't sent.

<h3 id="media-type">Media Type</h3>

The media type used when POSTing reports to a specified endpoint is
Expand Down Expand Up @@ -493,6 +504,9 @@ <h4 id="generate-report" export algorithm>Generate report of |type| with

1. Let |settings| be |context|'s [=relevant settings object=].

1. If reporting is [=reporting/disabled=] for |type| and |settings|'
[=environment settings object/origin=], return.

2. Let |report| be the result of running [=generate a report=] with |data|,
|type|, |destination| and |settings|.

Expand Down Expand Up @@ -1086,9 +1100,14 @@ <h3 id="disable">Disabling Reporting</h3>
Sending reports costs bandwidth, and potentially could reveal some small
amount of additional information above and beyond what a website can obtain
in-band ([[NETWORK-ERROR-LOGGING]], for instance). User agents MUST allow
users to disable reporting with some reasonable amount of granularity in order
to maintain the priority of constituencies espoused in
users to [=reporting/disabled|disable reporting=] with some reasonable amount
of granularity in order to maintain the priority of constituencies espoused in
[[HTML-DESIGN-PRINCIPLES]].

To reduce the amount that this configuration is a [=tracking vector=], the
user agent would need to make it difficult to detect whether it sends an
expected report, perhaps by spreading out reports over a wider time or by
omitting some reports even if that type of reporting is enabled.
</section>

<!-- Big Text: IANA -->
Expand Down