On 09/13/2012 03:27 PM, Jeff Trawick wrote: > On Thu, Sep 13, 2012 at 7:48 AM, Eric Covener <cove...@gmail.com> wrote: >> On Sat, Aug 11, 2012 at 3:51 AM, <field...@apache.org> wrote: >>> Author: fielding >>> Date: Sat Aug 11 07:51:52 2012 >>> New Revision: 1371878 >>> >>> URL: http://svn.apache.org/viewvc?rev=1371878&view=rev >>> Log: >>> Apache does not tolerate deliberate abuse of open standards >> >> I've come around on this one over time. While I appreciate the >> message/intent, I don't think this is reasonable for the default >> configuration because it errs on the side of ditching a privacy header >> and information loss for a (sensitive) header that we're not yet >> interpreting. IMO it's enough even without this specific DNT text: >> >> "An HTTP intermediary must not add, delete, or modify the DNT header >> field in requests forwarded through that intermediary unless that >> intermediary has been specifically installed or configured to do so by >> the user making the requests. For example, an Internet Service >> Provider must not inject DNT: 1 on behalf of all of their users who >> have not selected a choice." >> >> I'd like to revert it, but this is not yet a veto. I'd like to hear >> what others think and would appreciate an ACK from Roy/Greg/Jim who >> voted for the backport to avoid any churn. > > I agree that it should be reverted. I don't think it is technically > justifiable for the default conf to remove it for IE 10. I don't > think any particular web server deployment that has the general > intention of respecting DNT should unset it for IE 10. > > If the will exists within the group, an open letter to Microsoft could > be posted on httpd.apache.org regarding IE 10 flouting the user choice > intent of the DNT specification. > I to agree that it should be reverted, if nothing else, then at least for the time being, till this has been thoroughly discussed.
Technically speaking, as httpd may be used as an intermediary (more specifially, a proxy/reverse proxy), it is difficult to justify forcing backends to take into account that we are altering the DNT, as Eric pointed out in the RFC quote. As I understand it, the patch would apply to both httpd itself and any backend that it proxies to, who may or may not be of the same opinion about whether the DNT standard has been broken by IE. Furthermore, as we ourselves do not support or use this DNT header ourselves, there is the question of what the patch actually achieves for httpd. What Microsoft has done is, to say the least, disappointing from a technical aspect, as it muddies the waters, and I think Jeff's thoughts about an open letter would be a very good idea, but it is hard for me to technically justify editing the DNT header from within httpd, thus also denying DNT for those who explicitly want it on. The error, as I see it, lies with Microsoft, and in the end, it should be Microsoft that fixes it, not httpd that has to make a workaround. With regards, Daniel.
