Skip to content
This repository has been archived by the owner on Jun 26, 2019. It is now read-only.

TAO opt-in: pros, cons, and implementation #1

Open
igrigorik opened this issue Jul 19, 2016 · 3 comments
Open

TAO opt-in: pros, cons, and implementation #1

igrigorik opened this issue Jul 19, 2016 · 3 comments
Labels

Comments

@igrigorik
Copy link
Member

As a thought experiment, let's say we defined Content Size to require mandatory TAO opt-in:

  • The (iframe) document must provide TAO opt-in: this exposes the size of the document to the embedder.
  • All resources within the embedded context must provide TAO opt-in: this exposes the size of each resource to the nested context. The iframe'd document by providing the TAO opt-in to the embedder then also exposes it's subresource total.
    • Resources that don't provide the TAO opt-in are blocked by the user agent.

The above model means we can expose exact byte counts. The embedder wouldn't see the specific resources fetched by the nested context, but it would know their total size.

The downside to the above is that it requires explicit opt-in by the emdedded content.. which may or may not be practical for some of the use cases we'd like this be used in.

@yoavweiss
Copy link
Collaborator

I think that is the best route forward, assuming we can pull it off and convince most third parties that they must add TAO headers.

I guess the biggest question here is if there are third party use-cases that would violate user privacy by enabling TAO (e.g. widgets that change resources fetched based on user login/preference/unread messages, etc).

@csharrison
Copy link
Collaborator

I'm concerned this would be extremely difficult in practice. Do we have a sense for a minimum number of third parties which we would need to add TAO header to enable even a single ad to render correctly (assuming we block resources without TAO)? My hunch is that it would be a big effort.

@jkarlin
Copy link
Collaborator

jkarlin commented Jun 27, 2017

I agree with csharrison@. The primary use-case for size policy is to restrict third-party ads and social widgets so that publishers have more control over the user experience of their pages. If you require TAO then the publisher really doesn't have any more control than before.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

4 participants