Payment Request API | W3C

Payment Request API; W3C; 2017-09-21.

  • Adrian Bateman, Microsoft Corporation
  • Zach Koch, Google
  • Roy McElmurry, Facebook
  • Domenic Denicola, Google
  • Marcos Cáceres, Mozilla

Promotions

SubResource Integrity (SRI)

Implementation

  • Blink/Chromium → 355467Subresource Integrity; In Google Chromium Bugzilla; 2014-03-24.
  • Gecko → 992096 Implement Subresource Integrity; In Mozilla Bugzilla; 2014-09-03.
  • Subresource Integrity (SRI) Manager, a WordPress Plugin; WordPress.org; 2015-06-15.
    requires WordPress v4.1 to WordPress 4.2.5.

Tutorial

Referenced

Promotion

Usage

SRI Hash Generator

cat FILENAME.js |
openssl dgst -sha384 -binary |
openssl enc -base64 -A
<script src="https://example.com/FILENAME.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
        crossorigin="anonymous"></script>

Unsanctioned Web Tracking | W3C

Unsanctioned Web Tracking, Finding, Technical Architecture Group (TAG), W3C,

This Version:
unsanctioned-tracking-20150717
Latest Version:
unsanctioned-tracking
Latest editor’s draft:
work site
Editor:
Mark Nottingham

Findings

Section 5

<quote>

  • Finds that unsanctioned tracking is actively harmful to the Web, because it is not under the control of users and not transparent.
  • Believes that, because combatting fingerprinting is difficult, new Web specifications should take reasonable measures to avoid adding unneeded fingerprinting surface area. However, added surface area should not be a primary factor in determining whether to add a new feature.
  • Asserts that when a new feature does add fingerprinting surface area, it should be documented as such.
  • Finds that new local storage features and other potential tracking mechanisms should maintain and interoperate with existing user controls.
  • Encourages browser vendors to expose appropriate controls to users who wish to minimize their fingerprinting surface area.
  • Acknowledges that despite best efforts, technical solutions to unsanctioned tracking are not able to completely prevent its use by a determined adversary. Instead, our focus should be on making sure that unsanctioned tracking does not become “normal” on the Web.
  • Encourages policy makers to be aware that unsanctioned tracking may introduce privacy, security and consumer protection concerns within their jurisdiction, and to consider appropriate action.

</quote>

Definitions

Light on the definition of the effect (what is ‘unsanctioned tracking’?).  This seems to be enumerated in Sections 1 & 2 as:

  • unsanctioned web tracking → is the inverse of standards-defined tracking.
  • standards-defined web tracking→ interpreted as
    • Technologies
      • HTML4 State (Cookies)
      • HTML5 Web Storage
    • Acceptable pattern of use
      • Pixels (GET of zero-sized, no-op, documents [images])
      • Consumer-visiblity affordance
      • Consumer-visible opt out signalling.
    • Acceptable product features & business models
      • shopping carts
      • persistent site preferences
      • behavioral advertising
      • [unclear the list is closed or open]

Not Mentioned

  • Advertising Identifiers, e.g. IDFA, GPSAID
  • Geofencing, geo-behavioral identification.

References

Appendix A

[RFC6265]
A. Barth. HTTP State Management Mechanism. 2011-04. Proposed Standard. URL:
[confinement]
Butler W. Lampson. A Note on the Confinement Problem. In Communications of the ACM; Volume 16, Number 10; 1973-10; 5 pages.
[spy-sandbox]
Yossef Oren; Vasileios P. Kemerlis; Simha Sethumadhavan; Angelos D. Keromytis. The Spy in the Sandbox – Practical Cache Attacks in Javascript.; previously filled.
[udhr]
Universal Declaration of Human Rights.
[webstorage]
Ian Hickson. Web Storage (Second Edition). 2015-06-09. W3C Candidate Recommendation.

Inline

Linked within the document; in order of appearance

Related

Rebuttal

This is a straw man, a red herring, a toy argument.  The elements cited are substantially fringe techniques in any case, but that not withstanding.  There is no such category as unsanctioned tracking.  All in-industry tracking&targeting is done under consumer consent, with agreements voluntarily entered-into with full presentment of Notice & the availability of affordance of Choice subject to the stated Terms & Conditions of the owner of the (entertainment) service which being delivered unto the consumer for their enjoyment.  There is no other kind of trak-N-targ except under consumer consent; it simply doesn’t exist, it can’t exist by definition.  Acceptance of the T&C contract is by adhesion and the consumer’s remedy upon inability to accept the T&C is to leave the area [leave the internet].  For fun, here is a publisher who makes this framework very clear: <quote>If you don’t agree to the terms contained in this User Agreement and Privacy Policy, you must immediately exit the Service.</quote>

California Privacy Policy; At Condeé Nast, in force at Ars Technica; 2014-01-02 → 2015-07-17 (present).


Via: backfill

Geofencing API | W3C

Geofencing API; editor: Marijn Kuisselbrink (Google); W3C; 2015-03-18.

Referenced

  • Service Workers; editors: Alex Russell (Google), Jungkee Song (Samsung), Jake Archibald (Google); Working Draft; W3C; 2015-02-03.
  • Geolocation API Specification; editor: Andrei Popescu.(Google);  Recommendation; W3C; 2013-10-24.
  • Web IDL; editor: Cameron McCormack (Mozilla); Candidate Recommendation; W3C; 2012-04-19.

Example

The following code extracts illustrate how to use this API to be notified of geographic regions being entered or left.

Example 1: Monitor a region
// https://example.com/webapp.js
navigator.serviceWorker.register('serviceworker.js').then(
  function(serviceWorkerRegistration) {
    serviceWorkerRegistration.geofencing.add(
        new CircularGeofenceRegion({
          name: "myfence",
          latitude: 37.421999,
          longitude: -122.084015,
          radius: 1000
        }), {includePosition: true}).then(
      function(geofence) {
        console.log(geofence.id);
        // If more than just a name needs to be stored with a geofence, now
        // would be the time to store this in some storage.
      }, function(error) {
        // During development it often helps to log errors to the
        // console. In a production environment it might make sense to
        // also report information about errors back to the
        // application server.
        console.log(error);
      }
    );
  });
Example 2: Respond to a region being entered
// https://example.com/serviceworker.js
self.ongeofenceenter = function(event) {
  console.log(event.geofence.id);
  console.log(event.geofence.region.name);

  // If this is not a geofence of interest anymore, remove it.
  if (event.geofence.region.name !== "myfence") {
    event.waitUntil(event.geofence.remove());
  }
};
Example 3: Respond to an error condition
// https://example.com/serviceworker.js
self.ongeofenceerror = function(event) {
  console.log(event.geofence.id);
  console.log(event.geofence.region.name);
  console.log(event.error);

  // Some error condition occured. The region is no longer monitored, and won't
  // trigger any more events.

  // Try to re-monitor, although depending on the error this might fail.
  event.waitUntil(self.registration.geofencing.add(event.geofence.region).then(
    function(geofence) {
      // re-monitoring succeeded, new geofence will have a different ID.
    }, function(error) {
      // re-monitoring failed.
    }
  ));
};
Example 4: Unmonitor a region in response to some other event
// https://example.com/serviceworker.js

// Either look geofence up by name:
self.onsomeevent = function(event) {
  event.waitUntil(self.registration.geofencing.getAll({name: "myfence"}).then(
    function(geofences) {
      for (let i = 0; i < geofences.length; ++i) {
        geofences[i].remove();
      }
    }
  ));
};

// Or look geofence up by ID:
self.onsomeotherevent = function(event) {
  let geofence_id = "" /* somehow get the ID of a geofence */;
  event.waitUntil(self.registration.geofencing.getById(geofence_id).then(
    function(geofence) {
      geofence.remove();
    }
  ));
};

Via: backfill

Beacon API (navigator.sendBeacon) | W3C

Beacon; editors: Arvind Jain (Google), Jatinder Mann (Microsoft); W3C; 2014-02-12.

Referenced

  • Web IDL; editor: Cameron McCormack (Mozilla); Candidate Recommendation; W3C; 2012-04-19.

Example

The following example shows a theoretical analytics code that attempts to submit data to a server by using a synchronous XMLHttpRequest in an unload handler. This results in the unload of the page to be delayed.

window.addEventListener('unload', logData, false);

function logData() {
    var client = new XMLHttpRequest();
    client.open("POST", "/log", false); // third parameter indicates sync xhr
    client.setRequestHeader("Content-Type", "text/plain;charset=UTF-8");
    client.send(analyticsData);
}

Using the sendBeacon method, the data will be transmitted asynchronously to the web server when the User Agent has had an opportunity to do so, without delaying the unload or affecting the performance of the next navigation.

The following example shows a theoretical analytics code pattern that submits data to a server using the by using the sendBeacon method.

window.addEventListener('unload', logData, false);

function logData() {
    navigator.sendBeacon("/log", analyticsData);
}

Availabilities

Via: backfill

Web & Digital Marketing Convergence: Digital Marketing Workshop | W3C

Web & Digital Marketing Convergence; Digital Marketing Workshop, W3C, sponsored by Nielsen; Tampa FL; 2015-09-17 & 2015-09-18.

tl;dr → learning the industry

PresentationS

Papers

Referenced

Via: backfill.