https://issues.apache.org/bugzilla/show_bug.cgi?id=53845
--- Comment #3 from Roy T. Fielding <[email protected]> --- Apache HTTP Server does not yet implement DNT (and makes no claims of compliance) because: (1) DNT impacts first party services differently than third party services and we have no way of knowing which one applies; and, (2) the sections of the specifications regarding server compliance and the tracking status response are still in flux, particularly in regard to access logs. If we do implement DNT, the implementation might impact code throughout the whole server, and the workarounds for broken browsers might then be more subtle than simply dropping the signal. Browsers have chosen to send DNT already, in spite of it not having a proper definition and not actually doing anything for users, because it is easy for them to claim "privacy" while punting the actual work to servers. Jonathan is incorrect. A dialog box presented to the user with a preselected option of "on" does not qualify as a default of "unset", nor do the Express settings of IE10.0 qualify as a preference for privacy (read them and see). The working group is not a judicial branch -- it will not sit around forever adjudicating whether a given implementation complies or not, and nobody has ever claimed that the standard requires servers to ignore invalid signals. Apache chose to do so because the signal is meaningless if it is set by default, and it is harmful to deployment of DNT, to the Web, and to the open standards process if we allow such deliberate abuse to be propagated downstream. That section of the Tracking Preference Expression has been formally reviewed by the WG several times to assure that it represents the consensus on ISSUE-4. It is part of an open standard under development, which means the right way to change it is to go through the working group process and request a change. If the working group changes its opinion regarding the "unset" default or how it might be implemented, then I (or someone faster than me) will submit a patch to Apache that corresponds to the new consensus opinion of the working group. Apache has no particular interest in what goes in the DNT open standard -- only in that the protocol means what the WG says it means when the extra eight bytes are sent on the wire. Of course, we'd prefer that the standard specifies something that we can implement, because we are not going to turn off access logs just because a potentially evil client asks, but this block will be removed as soon as the user agent is compliant, whether that is because of IE10 fixing their bug or the WG changing the specification. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
