Browse files

Apache does not tolerate deliberate abuse of open standards

git-svn-id: 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information...
1 parent 9843179 commit a381ff35fa4d50a5f7b9f64300dfd98859dee8d0 @royfielding royfielding committed Aug 11, 2012
Showing with 10 additions and 0 deletions.
  1. +10 −0 docs/conf/
@@ -409,3 +409,13 @@ Include @rel_sysconfdir@/extra/proxy-html.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
+# Deal with user agents that deliberately violate open standards

doot0 Sep 11, 2012

This is entirely subjective.

On whose authority does IE10 violate open standards?


imanavg Sep 12, 2012

Why should MS change their code, they are actually compliant to the spec. This patch overrides a vast majority of user's choice who selects express settings by choice and are sole user of their PC. This patch is really in a hate filled spirit, which is sad.


ToBeFree Nov 21, 2012

Full support! I don't think the patch is "in a hate filled spirit"; it just shows how bad Microsofts decision to violate this standard was.

+<IfModule setenvif_module>
+BrowserMatch "MSIE 10.0;" bad_DNT

IDisposable Sep 11, 2012

Singles out one version of one browser, who's going to maintain the list of "violates Roy's vision" when he finds another windmill to tilt at?


mhstern Sep 20, 2012

Roy Fiedling simply wants to see who has the bigger one and whether he can make Microsoft buckle before him. As a result, Apache gets more bloat, but who really cares about simple things like that? After all, every administrator can easily spend the two minutes to clean up the mess that one "important man" left in.

+<IfModule headers_module>
+RequestHeader unset DNT env=bad_DNT

IDisposable Sep 11, 2012

Violates the DNT specification by not respecting user's choice


365 comments on commit a381ff3

@patheticcockroach that's not the point. If it is possible to use a UA forge to make you as server owner do something illegal (that being the removal of legitimate DNT headers) then that can lead into people with bad intentions sueing you for something where the law is on your side.

Yes, it is just a default - but if that default can lead to legal implications in the entire EU, that's a terrible default. Apache shouldn't make it dangerous to run it with the default configuration in countries - especially not because the authors want to make a political statement.


covener replied Sep 13, 2012

@ChrisTX FWLIW I believe the RTM IE behavior is a "default". I respect that other people might disagree that it is a default, or think it's a great default. I also suspect that it spells doom for (voluntary) DNT as you can guess which interpretation the people doing the tracking will lean towards.


jimjag replied Sep 13, 2012

@spronkey "accept whatever dog food it's given"? I am certainly glad that you don't code or implement standards. "This is a completely invalid Range request, but my job is to accept whatever I'm given so I gotta try to do something with it".

If that's the best "argument" and "rationale" you can come up with, then I'd suggest another tactic.


jimjag replied Sep 13, 2012

Actually @spronkey , I see you do try to implement a standard (php-amqplib)... Tell me, does it accept whatever dog food it's given? If the first frame on a connection doesn't contain an 'open' performative, as it MUST, does your implementation just "accept" it?

I don't understand why people like yourself, @jimjag, aren't grasping the essential concept here. The apache project has intentionally and clearly violated the standard itself in order to address a perceived (but unproven) violation of the same standard on IEs part. It's as simple as that. The end result of this is easy to predict: Complete failure of DNT as expected, and a lessening of the apache projects reputation.


jimjag replied Sep 13, 2012

@alandsidel Funny, I thought that the essential concept was that MS created a violation of the standard and that Apache httpd is attempting to address that violation. Also, if one's point is that Apache httpd, in its action, is itself a violation, then you must also admit that MS's action is also a violation.

You guys continue to argue about MS violating the standards. The point here is whether Apache should be used as a tool to force MS into compliance based on the opinions of some.
With this patch, Apache is not respecting the decision of the users who DO set DNT to true. This is another violation. This patch should only be implemented if Apache could determine that the user did not set DTN to true. If not, this is a violation.

@ellier: No, the point is that MS will not respect its own DNT flag.

@jimjag, no, I must not "admit that MS's action is also a violation." Their behavior is arguably within the spec. No argument can be made that this patch is within the spec : it violates it outright, with no room for debate, as the spec specifically says that nothing not under control of the user may modify the header.

@jimjag : granted, if we accept that Microsoft is violating the intention of the standard, can we go ahead and then understand that Apache is intentionally violating that standard? Is that what you are saying?

So, by your definition, if somebody goes and beats up my wife, you classify it as perfectly acceptable for me to go and kill him?!? Because that is essentially what is happening here... A perceived violation is countered by a definite violation

Looking forward to your rebuttal

@derekm: So when MS decides not to respect DNT, then Apache decides not to respect those users who willingly set the DTN flag to 1. WHAT?!

The Apache Foundation seems to be using httpd as a stick to beat MS into submission without any regards for those users WHO DO set the flag to 1. In other words, lets fix a violation with another violation.

Do you see the irony?

@derekm My understanding is that the DNT standard is a negotiated agreement between different interest groups. As a negotiated agreement, it means that one party in the deal has agreed to hold itself back from doing something which is within its power - to track - on such and such conditions.

Microsoft’s move can be compared to a goverment who wants to strike a voluntary deal with the tobacco companies: "If you place ugly antismoke ads on your cigarette packages, we will avoid raising the tax a 100%." OK, says the companies. But in the end, the government raises the tax 100% anyhow. As a result, the tobacco companies would of course remove their negative ads. (The tobacco companies, in this analogy, would be the adverticers. The goverment is Microsoft. And Apache is the out-sorced tax collector.)

@jimjag See section 4.2: An HTTP intermediary must not add, delete, or modify the DNT header field in requests forwarded through that intermediary unless that intermediary has been specifically installed or configured to do so by the user making the requests.

Apache, in it's default configuration, is therefore clearly in violation of the spec.

See how easy that was? So why, if IE is actually in violation of the spec, can nobody post a similar quote from the spec indicating the section which it supposedly violates? The only possible justification for the action Apache is taking here is solid evidence that IE is non-compliant (although I'm not convinced that it's ever acceptable to violate the privacy of IE10 users who might have actively made the choice and there is no way Apache can possibly know this).

As it stands, it looks very much from the outside that Apache is being used in political posturing by the advertising industry. If the combination of Apache (the most widely used web server) and IE (the most widely used web browser) always ends up in a "no preference" DNT setting, then the DNT "standard" is effectively dead in the water and the advertisers get what they want, unlimited permission to track users whilst being able to claim they're complying with user's DNT preferences.


Also, if one's point is that Apache httpd, in its action, is itself a violation, then you must also admit that MS's action is also a violation.

Apache is violating a sentence of section 3 in a very direct way:

Implementations of HTTP that are not under control of the user must not generate or modify a tracking preference.

The difference is that IE10 RP did not violate any parts of the most current specification when it was released and still doesn't violate anything but the latest editor's draft. As for the RTM, nobody could explain here how it violates the specification. If you look below, "Express" can't be it.


FWLIW I believe the RTM IE behavior is a "default".

I can't tell you what to believe, but you'd need to explain me why the "Express" settings wouldn't be covered by the implicit settings group in section 3. It even names DNT being enabled as option is contains. The standard explicitly does not mandate how to determine the setting. And specifically,

For example, a user might select a check-box in their user agent's configuration, ...

Doable in "Custom" mode or IE's settings per user. "Always send a DNT" will send it regardless of other means.

... install an extension or add-on that is specifically designed to add a tracking preference expression ...

If you install a TPL in IE9/10 that will cause DNT to be enabled

... or make a choice for privacy that then implicitly includes a tracking preference

Which "Express" is.

The standard does not forbid the express settings for privacy (!) to contain this choice. If I make two options "Privacy: high" and "Custom privacy" which is what "Express"/"Custom" are after all, then where is the user choice not being made?

Instead, this way of argumentation goes like this: Nobody will read what "Express" says and just press continue - but it's the same deal with for instance EULAs. If a browser made a selection box: "Do you want to be tracked? Yes (grey, sad smiley) / No (green, happy smiley) (recommended)" that would be perfectly within the demands of the section. You can call it a 'default' as you like - it isn't by the means section 3 defines them.

I also suspect that it spells doom for (voluntary) DNT as you can guess which interpretation the people doing the tracking will lean towards.

To be honest, I'm with the EC here: DNT should be an opt-out standard. Most advertisers are residing either in the US or in the EU and they could be effectively regulated. In my opinion, DNT as a non-overseen standard is a choice a lot worse than if there was a binding law. I don't see why advertisers would have the right to track you. - But that's just my personal opinion. It doesn't change the law as-is. And from current law, yes DNT is optional.

We can only speculate why MS did this in the first place: Was it purely pro bono? Was it because they wanted to weaken Google, Facebook and the likes? - We don't know. I hope ultimately for a legislation that will mandate DNT as opt-out, maybe no tracking being allowed until DNT:0 is sent.

@komputist And that's why those sort of agreements get written down. So that when one side or the other breaks the agreement, it's very clear what has been agreed. In the case of DNT, that is the standards document. The one NOBODY seems capable of finding any such agreement in.

@AndyCadley The point with the tobacco industry example was to demonstrate that it is not at all self-evident who the good guy and the bad guy is: Would a doubled tax on tobacco in combination with positive ads save more lives than a "normal" tax in combination with negative ads? Who knows? We only know that without regulations, tobacco companies are not very much trusted - to put it that way.

Microsoft does not make the all dominating browser anymore - but Microsoft's position is still such that this move could put the acceptance of the standard at risk. Apache is here demonstrating that it stands by the standard - which in my book is a move that could save the acceptance of the standard. Convincing Microsoft to revert its move, is only one part of the picture. Keeping the other parties with a stake in it in, is probably the crucial thing that Apache's move tries to secure.

@komputist I think you're missing the point. One of the following must be true:

  1. The standard is an accurate description of the agreement. Microsoft have violated it and since any violation will contradict something written in that document, it will be very easy to point to that section. (So far, nobody has done this in the case of IE)
  2. The standard is a vague or entirely inaccurate representation of what was agreed. In which case any "violation" is down to faults in the writing of the standard. So the correct approach is to fix the wording of the standard to clarify the position. Given the @royfielding is involved in writing that document, it would be infinitely more sensible to take that route than to purposely break the standard in yet another product.
  3. The standard is an accurate description. Microsoft haven't violated it.

In the case of (1) somebody should have been able to make the issue clear by now instead of simply asserting that Microsoft have violated the standard without any justification whatsoever. Everyone would be clear on the issue and the conversation would be about what, if anything, Apache could or should do about it (which still wouldn't be entirely clear cut).

However, given that any evidence for (1) seems to have eluded everyone, we can only assume we're dealing with either (2) or (3) and in both those cases it should be blindingly obvious to everyone that making Apache non-compliant is an extremely bad idea and something that should never be allowed to happen.

@AndyCadley It has been pointed out where Microsoft violates the standard. I am citing @reschke, who cited the standard: "Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control."

It's blindingly obvious (to anyone without an anti-MS agenda) that this patch is a bad idea, even if the case were (1). It's also becoming apparent that the project has no intention of correcting the issue and pulling this patch, for reasons I cannot fathom beyond simple pride.

@komputist, how exactly is IE in violation of that particular statement? There is no institutional or network-imposed mechanism involved here. Whatever MS has or hasn't done is irrelevant -- this patch itself is a blatant violation of the standard, on that there can be no argument.


jimjag replied Sep 13, 2012

@alandsidel First of all, calling this an "anti-MS agenda" is baseless and false. It is certainly anti-violation.

Secondly, as anyone who is following the actual development list (and not this fairly useless thread) knows, the developers are looking at additional ways to address this issue.

And thirdly, is your last sentence ("It's also becoming...") directed towards MS or Apache? Sorry, but I know it's directed at Apache, but why not the same energy and sentiment towards MS, who could REALLY fix this issue by simply not violating the standard?

I have a great idea: knowing that MS is violating the standard, what would you suggest Apache do? No, simple "pull the patch" or "nothing" knee-jerk responses are allowed. Give us some concrete ways in which Apache httpd can force compliance w/ the standard? @royfielding implemented one which, no matter what else you can say, has brought this issue to the fore. What's your (or anyone else's) patch?


jimjag replied Sep 13, 2012

@sschocke No, but if someone is about to kill your wife, you are certainly within your right to smack him in the leg with a shovel.

My point is that everyone who is complaining that this patch also violates the spec (and there is an argument to be made there) and uses THAT as ammunition for its removal, completely ignores the base reason for the patch in the first place, which is that MS's action is the primary violation of the spec, and this patch is in reaction to that. And despite claims otherwise, MS's action is a violation.

@jimjag If it's a violation, cite exactly what part of the spec it violates, and how it is violated. So far, nobody has done that, least of all with an RTM version of IE10. Not one person. If it's so "certainly" a violation, there would be far more consensus on the issue than there is. What is certain is that this patch causes apache to violate the spec. Period.

Whatever the developers are doing right now is irrelevant. This patch is not the solution and needs pulled. If an alternative solution is forthcoming (which I highly doubt), then it can be addressed in a patch of its own. There is no reason at all to have allowed this patch in the first place, nevermind to have left it here in the face of so much controversy.

The last sentence of that post was aimed squarely at apache. The Apache project has openly and intentionally violated the standard (to be precise, shipped a default config which violates the standard) with this patch. My energy and sentiment belongs squarely where it is.

My patch for apache? It does not need one, no matter if you say that is "not allowed." Client-specific patches for browsers in apache have historically only been implemented to enhance compatibility between apache and broken browsers. Not once in the history of the project has there been a patch like this one, and rightly so.


jimjag replied Sep 13, 2012

DNT is a privacy setting, and should be set/unset/specified with that criteria in mind. It shouldn't depend on what kind of "Express" install was made. Express, in and of itself, is NOT a privacy setting.

Express, in and of itself, says clearly that is is going to set a default privacy setting, which enables DNT. Now you're claiming what... that unless it's on a page labeled "privacy" that it's no good?


jimjag replied Sep 13, 2012

@alandsidel "Not one person"? Oh puh-leese.

And "Not once in the history of the project ..."?? By a "patch like this" do you mean "a patch designed to enforce the standard"? In which case, you are way, way wrong.

@komputist I'm using IE10 to write this now. I chose a DNT setting. There has been no institutional or network-imposed mechanism out my control forcing it. It entirely and accurately represents my personal choice of DNT setting. Apache ignores this.

@jimjag I would argue, as has been known by systems developers for decades, that it is fundamentally impossible to determine a user's intent through software alone. Fundamentally you just have to accept that the settings and options they select are what they wanted to do. Until someone invents psychic computers, that's what we're stuck with. Take the issue to the US/EU courts if you really believe Microsoft is abusing it's position, but do not abuse end users privacy to try and make a point.

Consider the precedent this action sets. Anybody who wants to track you can do so, regardless of your DNT setting and should you complain they can argue "Well, we felt the DNT settings dialog in Firefox/Safari/Opera/Chrome wasn't clear enough and so clearly didn't represent its user's informed consent. So we figured we'd just ignore it and track them anyway. After all, that's exactly what the Apache team decided to do". The very justification being used here (and on the mailing list) for this patch fundamentally undermines the entire DNT standard completely.

Not one. If you're the one, proceed to support it. So far all you're doing is talking in circles, attempting to claim that the blatantly obvious "This will enable DNT" during express is somehow "not good enough." It's not like it's hidden, obfuscated, or in any way unclear about what selecting Express will do.

By a "patch like this" I mean one that intentionally violates a standard, which is what this entire discussion is about.


jimjag replied Sep 13, 2012


From the standard: "Key to that notion of expression is that it must reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

So if one chooses Express, it is making a decision for the person... What if someone wants Express and DOESN'T want DNT? In this way, Express forces a user's preference, simply because that preference is overloaded with a whole bunch of other stuff.

Do you even understand what DNT is, and what it is trying to do? Or are you just breaking in a new keyboard?

@jimjag you are just talking in circles again. If one chooses express, it says right on the screen what that means WRT DNT, and the user has made that decision for themselves. Regardless, what Express does or does not do is irrelevant. This patch causes Apaches default state to be in clear (rather than interpreted) violation of the standard, and in light of that alone, it should be pulled.


I have a great idea: knowing that MS is violating the standard, what would you suggest Apache do?

Nothing. I don't WANT Apache to be the standards police. Why do you? We never elected them to be enforcers of anything. They should get in touch with Microsoft and deal with it there. If or if not this is a violation, who cares, I don't want anyone using force to enforce a spec, ever. That is not how you handle this. Not after everything we learned during the browser wars. As I've said before, getting browser vendors to support a spec should be organic. Forcing standards makes it not even a standard, it becomes a "law" browsers have to follow or get punished.

If it makes it any more clear, look at it from the standpoint of the principle of least harm.

Patch In:

  • IE10 may or may not be in violation. This is, quite obviously, open to interpretation
  • Apache, by default, violates the standard.
  • No IE10 users preferences are respected, regardless of where they came from.

Patch out:

  • IE10 may or may not be in violation. This is, quite obviously, open to interpretation
  • No harm to anyone beyond that point, outside of apache's control.

If I use IE10 and explicitly set DNT to 1 (NOT using the express setup) and visit a web page served by Apache, Apache is going to remove my DNT preference by it's own (right now being "we don't accept you having any DNT preference). That's in clear violation of that line you've just quoted. And its outside my control unless it's my own server.

I think most here will agree that, if you think MS violates the standard, that's something you can clearly think or state. That's your opinion and it's fine. What people are upset about (me included) is the action taken by this patch/commit: It removes our preference, just because we use the browser of our choice. The "Microsoft doesn't violate the standard" vibe is there because of the wording etc. but we should really leave that one aside here. I agree with you. IF you can be sure the submitted DNT value is forged or not the user's choice, remove it. That is perfectly fine. However, don't ever touch it if you're unsure (in doubt, trust the flag/user). And that's something that's being ignored here.

For those arguing about acceptable value ranges and other computer science stuff: The flag might have either the value 0 or 1 or it must not be present at all. And that's the case, no matter whether you're using Chrome, Firefox or IE10. If IE10 would submit something like "DNT: Yes!", then you could throw it away any time you want. But that's simply not true. The value is perfectl fine, valid and within the acceptable range described in the standard.

If IE10 would submit something like "DNT: Yes!", then you could throw it away any time you want

Even then, it would not be "permissible" for Apache to toss the header -- it's up to the web developers backend (Rails, PHP, Perl, whatever) to do that. Touching this stuff at all before the web developer gets their hands on it is inexcusable. As long as the request is properly formatted, and is not going to cause an incompatibility with the server, it should be passed along as-is.

Does apache toss other "invalid" headers? No. Not one. This one is exceptional in that regard. Why? Agenda.

@MarioLiebisch User preferences do not govern servers - users use user agents. So the Apache patch is not a violation of the cited requirement that DNT in user agents must be set by user's own choice.

It is Microsoft who has removed the choice for you. You can compare it with a political election between "yes" and "no" where the default is supposed to be "did not participate in the vote". If, in your constituency, they change the default to "no" so that even those that do not participate are counted as no votes, then those counting the votes cannot know whether the "no" votes are for real. And so, they must annulate the election. Which would be very pity. Especially for the sincere no voters. To, in that situation, point to the election rules and state that "it is not written in the rules that the election can be annulated if the rules are broken" would not bring anyone very far.

@komputist Microsoft did not "remove the choice from you" for crying out loud. It's right there on the screen when (if) you choose Express, and regardless of chosing express or not, you can change your mind at any time in the future. You're really stretching (as are all on that side) to claim MS has done something wrong here, when it's painfully obvious that this patch does far more harm than the supposed violation by MS.

@komputist The DNT preference is a preference for web applications. It's something between the end user and the web application. As it stands Apache is sat in the middle, silently changing this without the consent of either party.

And Microsoft haven't removed that choice. Nobody is arguing that. At worst, Microsoft suggested a setting to you and you blindly accepted it (which, arguably is true of every single browser), but at any point an IE10 user can go in and change that to whatever they want. They can do that during install, they can do it later, they can even sit there toggling it on and off to there hearts consent if it pleases them. Whatever they do, however, Apache is assuming they don't know what they're doing and choosing for them. Apache is effectively replacing it with "the preference of some institutional or network-imposed mechanism outside the user's control."

@komputist: I said that I wouldn't intervene any more, but this misunderstanding is quite amazing really:

  1. You guys think that this standard is worth fighting for? Most people agree with you on that (I don't but anyway)
  2. You think that MS did something wrong? Some people agree, some disagree
  3. You feel the ASF is entitled to play Internet cops? Very few people agree with you on that. I'll +1 @OscarGodson on this: "I don't WANT Apache to be the standards police. We never elected them to be enforcers of anything."
  4. You feel the path was an appropriate solution? Most ASF supporters see this patch as a dirty hack which should never make it into production.
    If you want to begin to understand what's going on, my advice would be to really pay attention to points (3) and (4). Remaining stuck in your tracks without trying to get some perspective won't lead you very far I'm afraid.

@alandsidel It is technically possible to particpate in a rigged election. But the value of doing so is low. Microsoft tries, with bad or good intent - I don't know, to take advantage of a standard that requires that all parties abide with it.

@AndyCadley The problem is that the spec says that the way Microsoft has arranged it, is not in line with the standard.

@DanielStrul I don't speak for any party - I just analyse. And my analysis tells me that Apache's move is not about policing. It is a move to save the standard. When striking an agreement - such as a standard, it is important to show that you mean it and defend the deal, even when it can be temporally difficult to do so.

@komputist what MS does or does not do is not my concern. This crummy, ill-informed, "standards"-breaking patch however is.

As far as MS is concerned, they are just doing what most users want the defaults to do. In so doing, they've illuminated how DNT fails out of the gate, while also exposing a sort of "cliquel" within the ASF that wants to punish them regardless of the impact on the httpd project, the desires of end users (of IE or of apache), or DNT as a whole.

@komputist Again, where does it say it? What exact words are something Microsoft is not doing. I'm quite happy to believe it if someone can actually point it out, but I've read through the whole thing numerous times and can't find it. And everywhere in this thread and the Apache mailing lists people are simply asserting it as fact, despite nobody seeming to know why.

Step back from what you think you've heard, put aside personal bias, ignore for a moment that it's the big evil Microsoft and read the standard as if it were any other web browser offering exactly the same choice during installation that IE does. Then and only then, decide which part of the standard you think it's actually violating.

As far as Apache defending the standard, this move kills it stone dead. Instantly. If this patch is allowed to stand, there is no such thing as DNT, regardless of which browser you use, regardless of whether Microsoft's decision was or wasn't compliant. Your freedom to choose not to be tracked has been entirely eradicated by those claiming to be defending it. Even if you believe Microsoft are in violation, or that the spec is a flawed approach (and it is), allowing this kind of behaviour should be unacceptable, since it justifies those who want to track you doing so regardless of DNT on the grounds they don't like the way your browser let you choose.

@komputist: Even if the ASF wanted to save this standard-to-be, using the Apache server near-monopoly to do so was very, very wrong. They are just using the same brute force tactics as MS, and I believe a lot of free software supporters won't easily accept that. Time (and the evolution of the nginx market share) will tell.


  1. No users of IE10 will be able to change the setting on sites they visit that are running apache with this absurd patch.

@mamund Correction:

  1. All users of IE10/Win8 will be able to easily change the default. Access to the setting works for even the most limited of user accounts as these are always per-user level settings (they can't change what the system default would be if they aren't Administrators, but that pretty much a no-brainer)

@alandsidel : yep, forgot that one:

  1. No users of ASF will be able to change the setting on the user agents that are running IE10 wiith it's [insert your emotional characterization]

thanks for the reminder

@AndyCadley The exact spec text that Microsoft is not following, has been cited at least 3 times on this page. But Apache is not defending a piece of paper but the signatures of that paper and the process around it. That's an important difference.

@alandsidel This is a standard. A convention. It is not a law. Where I live, I can get a stamp from the postal service and place it on my (snail) mail box to avoid receiving ads. But I have to place it there myself. Then the postal service stops sending me unaddressed ad mail. I myself have not placed that stamp there. And I don't want my neighbors to place it there "by default" for me. I want to control it myself. If law forbids ads, then, OK. But we are not there.

@jimjag I certainly wouldn't commit a patch that blatantly disregards what I can only deem to be a valid piece of data (without further contextual information). And that's the problem, the working group has not made a decision on whether IE10 is compliant. ASF has, but ASF aren't the authority here. You have to assume at this stage that the header sent is sent from a compliant user agent, and utilise or forward it!

Noone here is at consensus as to whether IE10 is compliant. Some think yes, some think no. httpd is making an assumption about a technically valid header based on data that does not exist, thereby unequivocally breaking the standard.

But, as many have said, it's not the point. Apache isn't a political sandbox!


No, but if someone is about to kill your wife, you are certainly within your right to smack him in the leg with a shovel

That would be debatable...

I understand the issue. The DNT standard only works if the majority of users never know of it's existence, or CHOOSE to never make use of it, as @royfielding would have us believe. That's because it's not a law. So it's a standard that allows a select few to benefit...

Coming back to our analogy with my wife, let's take it a step further and see where we end up. She is walking down the street, somebody comes up behind her with a knife. I take the shovel and smack him in the leg. He proceeds to go to the police station and lays a case of assault against me. Can I prove that he did in fact want to kill my wife? Is it illegal to carry a knife in the street? Have I broken any laws? Who do you think will win this case?

The answers are simple: No, I can't prove it. No, it's not. Yes, I have. He will win.

Even if there were witnesses, the defense will ask them "How can you be sure he intended to stab Mrs X?" The answer is they can't. They can assume it, based on his behavior and carrying a knife in a threatening manner. But assumption is not beyond reasonable doubt.

Before I ramble any more, let's get back to the point. The ASF has decided to take millions of IE10 users hostage to try and enforce a standard... it's as simple as that. This is not the actions of a respectable open source foundation... it's the tactics of a monopolistic mega-corporation. The kind of tactics Microsoft would get crucified for (and have been crucified for in the past.)

If you insist on removing the DNT header sent by IE10, at least find a way of informing the user that you have done so. Silently removing a user preference(whether they picked it via Express settings or not) is atrocious.

I agree that MS are basically willfully trying to kill the DNT standard, What I don't agree with is the "eye for an eye" behavior.

PS. I have been following the httpd-dev mailing list, and see there is a general feeling of "we need to fix this", even if @royfielding and @gstein don't share that sentiment. I'm glad to see it.

This is a joke. Screw it, I'm tracking everyone in every site I build, host or support. User information is precious, and if Apache can ignore the choice of some users, so can I. Hey, I can even blame Apache for the tracking. Hey, I could even add every single browser out there to this patch. Let me change "MSIE 10.0;" to ".+".

< IfModule setenvif_module>
BrowserMatch ".+" bad_DNT
< /IfModule>
< IfModule headers_module>
RequestHeader unset DNT env=bad_DNT
< /IfModule>

Just forget this DNT thing ever existed. Happy tracking.

Surprisingly... oddly... now'd be a good time to add a reference to Stand Your Ground[1]...

@sschocke: "Coming back to our analogy with my wife, let's take it a step further and see where we end up. She is walking down the street, somebody comes up behind her with a knife. I take the shovel and smack him in the leg. He proceeds to go to the police station and lays a case of assault against me."

The answers aren't "simple"... but in a 'stand your ground' state, you'd wish for more than a shovel such that he doesn't proceed... the defense isn't likely to question... but then, it'd suck to be your wife if the 'legal ramifications' are in your calculations of that particular situation:) yeah... that analogy has run its course:)

[1] -

@williamstw Why am I not surprised somebody would bring up a US state law. I was referring to an actual case, right here, in good old South Africa where I stay. See, it's not so clear cut as you believe. The analogy was a stupid one to begin with, as is usually the case with analogies.

The point I was trying to make right from the start is that responding to a perceived violation by a definite violation is hardly ever the right course of action. In self-defense, maybe it can still be acceptable. But who exactly is Apache defending with this patch? Definitely not itself because as repeatedly stated, Apache has no stake in the success or failure of DNT... or does it?

@komputist No, it hasn't. I presume you think it's this bit, which has been hand-wavingly suggested a few times:

"Key to that notion of expression is that it must reflect the user's preference, not the preference of some institutional or network-imposed mechanism outside the user's control."

Which rather vague wording at best (note it does not include any good standards language like MUST NOT, SHOULD NOT etc). So it's interpretation is largely down to the reader to determine (which makes it a type (2) problem by the number scheme I suggested above).

Breaking it down and comparing against IE:

a) Key to that notion of expression is that it must reflect the user's preference - well the user made a choice, they either chose to go with the Express settings or Custom ones. Either way it is clearly written on the screen what the result of that choice means for your DNT preference. So it can't be violating this part.

b) "not the preference of some institutional or network-imposed mechanism outside the user's control" - At all times the user is in control of their DNT setting, from the moment they install (and make a choice) onwards it's always their decision. Even if that decision is to click Express settings and leave everything the way Microsoft recommends. Still not a violation.

Note the standards says absolutely nothing about the following (they were dismissed as UI issues, beyond the scope of the DNT standard:

  1. Is there a default setting?
  2. If there is a default, what should it be?
  3. What constitutes an informed choice? And, more importantly, under what circumstances can a choice be considered uninformed and thus ignorable?
  4. To what extent can a browser vendor suggest that a user should select a preference either way.
  5. To what extent can a browser vendor recommend a particular setting either way.

Key to the discussion is the number of people claiming the standard says the browser must default to unset, when in fact it says no such thing whatsoever. And the very reason it doesn't is because you simply can't say there must be a default of "unset" without answering all those other more difficult questions.

How is this commit not "deliberate abuse of open standards"? Heck, let's assume that IE10's default setting is indeed "deliberate abuse", and that it should not be tolerated by Apache.

How does that justify Apache deliberately ignoring said open standard for all those IE10 users who intentionally keep DNT enabled?

That strikes me as far more deliberate abuse than anything IE10 does. You're literally taking an open standard, and saying "we're going to ignore it, and make it fundamentally impossible for users to opt-in because we can't entirely rule out that someone, further down the line, may have also abused the same open standard.

IE10 is merely making an assumption about which setting users would prefer. But they make it possible for the user to make the choice they prefer. Apache is making it impossible for IE10 users to opt in to DNT. So clearly, Apache doesn't merely tolerate, but actively engages in, deliberate abuse of open standards to an extent far beyonf anything IE10 does.

This is insane.

The interesting question is not whether Microsoft's decision is correct, or conformant with the DNT spec.
The question is how Apache can justify violating DNT for those IE10 users who have made an informed decision on the subject.

Suppose I download IE10, and just to show my intention, I open its settings, and disable DNT, and use that setting for a few hours. Then I go back and re-enable DNT. That is very much a deliberate action by me, the user, and it is perfectly conformant with the spirit and letter of DNT. What IE10 does by default, and what other IE10 users do, is completely irrelevant. I have made a deliberate choice to actively and manually enable DNT, and thus, I expect the setting to be honored.

And yet, according to this commit, Apache should ignore my deliberate choice, and strip away the DNT headers.

If that is not "deliberate abuse", I don't know what is.


@DanielStrul thanks for sharing the link to the bug report. It has been a real eye opener. Not only does it show that the W3C consider IE10 to be compliant (at present at least), a sentiment that most people share, but also that the ASF is definitely not acting out of concern for the standard or users.

Secondly, the pretentiousness of @royfielding to close a bug report on something he did wrong with a simple WONTFIX just goes to show how far gone he is. He simply cannot admit that what he did was wrong, as if he is somehow above reproach because he did some good in the OSS community. Give me a break... Humility is the mark of true genius, not thinking you are better or smarter than everyone else.

@sschocke You claim that "Not only does it show that the W3C consider IE10 to be compliant". But to be a member of the W3C working group does not give @jonathanmayer the authority to speak on behalf of W3C. (And I don't see that he claims to do so either - though he does claim to know what the group’s negotiations mean.)


Justin Brookman from the Center for Democracy and Technology, another Editor, has helpfully summarized where the draft text stands on the released version of Internet Explorer 10:
It is inaccurate to say that IE10's implementation is inconsistent with the spec . . . . The Windows flow presents information about DNT along with several other options; as an opt-in flow, you could argue that DNT should be called out more prominently, but I have seen a lot worse

I did not say that Jonathan said any such thing. Simply that a comment made by him included the above statement. A compliance editor for the specification said it was inaccurate to say that IE10's implementation is inconsistent with the spec. And, let's be clear here... IE10 preview release was not up to spec. IE10's final implementation is. @royfielding submitted this patch days before the RTM version of IE10 was even available for testing, so he must have based his opinion on IE10 preview release.

Also, a comment such as this on the working groups mailing list :

certainly not through any action by the spineless W3C.

just confirms how self-important he considers himself to be.

@komputist, @sschocke: I hope my former post was not misleading. I believe @jonathanmayer only expressed his own POV, and never claimed otherwise. It seems to show, however, that @royfielding and/or the ASF (I'm not sure) acted or their own, without any explicit consent nor without any explicit dissent from the W3C.
This hypothesis seems confirmed by the archives of the W3C's TPWG public mailing list, where some members have proposed to change the standard so that web servers would be explicitly forbidden to change/drop the DNT flag (, thus specifically forbidding this very patch.

@DanielStrul "change the standard so that web servers would be explicitly forbidden to change/drop the DNT flag" => Hm, I hope this would only apply to default configurations and not impose a lock of some sort...

@patheticcockroach: I wouldn't worry to much about that, really. From what I've seen, @royfielding posted a rebuttal, and the discussion more or less stopped at that point. This proposal only shows that there is no real agreement within the Tracking Privacy Working Group to support the Apache config patch, but I'd suppose that there is no real agreement to oppose this patch either. With so many conflicting interests, it's generally difficult to reach an agreement on anything at all!

@patheticcockroach @DanielStrul

  1. IE10 is in full compliance with the last (now expired) IETF draft

6.3. Default

A user agent MAY adopt NO-EXPRESSED-PREFERENCE or OPT-OUT by default.
It MUST NOT transmit OPT-IN without explicit user consent.

  1. IE10 is in full compliance with the current proposal.

A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent
(... and ...)
We do not specify how tracking preference choices are offered to the user or how
the preference is enabled: each implementation is responsible for determining the
user experience by which a tracking preference is enabled

  1. IE (non-)compliance is irrelevant to the patch itself, which leaves apache in violation in its default configuration.

An HTTP intermediary must not add, delete, or modify the DNT header field in
requests forwarded through that intermediary unless that intermediary has been
specifically installed or configured to do so by the user making the requests
(... and ...)
Implementations of HTTP that are not under control of the user MUST NOT
generate or modify a tracking preference.

A lack of consensus does not indicate a lack of facts required to reach consensus. In this case, it simply appears that the facts are being ignored in order to push a "punish MS" agenda.

@alandsidel I doubt it really has any point discussing that here - nobody relevant is listening anymore. You're wasting your time on some folks who are apparently unable to read that "Express" is a privacy setting (it says that in the screen's title) or that you can use custom to adapt it if you like.

It isn't about whether MS violated the standard or not here. If you look back, @royfielding has never said where he believes the RTM violates anything. It should be clear from the time line of events that the Apache PMC hasn't voted on the RTM. The weasel word 'default' riddles this thread mixed through by the claim that the "Express" settings were some kind of default, while they're not.

Furthermore, this doesn't even matter. Even if you want to see a violation on MS' side (the spec isn't too clear about what it says under 3 - it is fairly easy to interpret a violation in somewhere), this patch doesn't become more acceptable.

If the Apache PMC judged a release product based on a pre-release version of it, and accepted a patch that causes people in the EU to not be able to run Apache legally in the default configuration anymore (of which both things itself are unacceptable) - then it should be pretty clear that this was never intended to be a fair judgment of Microsoft's product in the first place. This is a political vendetta - and that's why arguing against those who claim it was a violation isn't worth your breath.

There will be lots of fanboys who don't want to understand that the PMC can't have judged IE RTM but want to see how MS gets kicked because of personal MS hate.
I originally joined this thread to point out the important differences between the PR and the RTM considering this matter while being sure that the RTM wasn't even judged. Personally, I believe there are better ways than a thread nobody reads to point this out. I'm out.

@ChrisTX I believe you have the right of it. It can be shown that the W3C feel this patch is unwanted, that some members of the ASF have come around to seeing it as well, and that @royfielding acted mostly out of his own - using a pre-release version of IE10 to base his decisions on. I am unwatching this thread, as there is no discussion anymore.

Unbelievable. Apache is no longer an open standard. A sad day for all. Has Apache become a vehicle for developers such as @royfielding to promote personal hatred and business bias ? This is pure bullshit. Fielding has a clear conflict of interest. He should not be allowed to participate in open standards - which Apache httpd is not anymore because of this. Let @royfielding do whatever he wants in his own companies proprietary products. He should not be allowed to put proprietary practices into so called open standards. Just unf*&^ing believable.


covener replied Sep 22, 2012

@pcomitz -- It's hard to tell if you're making stupid comments about a standard or stupider comments about a webserver, but I appreciate the Saturday morning puzzle.

@covener I notice that you never respond to well-reasoned, evidence-based criticisms of your team's actions from people who have taken the time to read the various drafts of the specification, the Express Settings screen in Windows 8, and the working group's mailing list archives.

Not so much of a puzzle, that.


covener replied Sep 22, 2012

@markrendle that's because I'm not particularly interested in chapter and verse of DNT drafts, how Windows is configured, or what people on the WG mailing list have to say -- much less interested in them as some kind of validation or reproach of the teams "actions". I've primarily responded when the naivety or invective here has bubbled over. I don't feel obliged to respond to anything here.


jimjag replied Sep 22, 2012


Nothing. I don't WANT Apache to be the standards police. Why do you?

The web of today ONLY exists because open source software like Apache (especially Apache) required and emforced the standards and protocols of that early web. Apache is supposed to be a fully compliant, basically reference implementation. That requires it being a standards police.

@jimjag interesting. I've always thought and seen open standards followed organically. But, if you have an example where "open" standards were forced and if not followed the implementors were punished by a third party let me know. I've just never heard of that. I've always thought open standards were great because they were standards that every agreed upon enough to follow along and that users also had a voice by deciding which software they liked more.


jimjag replied Sep 22, 2012

@OscarGodson Standards are protocols only work if they are agreed to and, just as important abided by. That's how standards work. Your electrical plug is designed to abide by a standard. How would you feel if a plug manufacturer just decided to make both prongs "fat" instead of just the neutral one?

As far as "punished by a third party" I really don't understand your argument... But before you try to explain, do yourself a favor and do some investigation into what open standards and protocols actually mean, and how they work.

@jimjag if a manufacturer made that plug no one would buy it. Simple. And thats how standards work. Maybe you should read up on it. Open standards are no laws, which Apache and you feel like they are, they're standards. Google "define:standard" for more clarification.


Apache is supposed to be a fully compliant, basically reference implementation.

Please supply a link to the standard this reference implementation patch is fully complying with.

It appears someone on the Apache team is deleting new posts by people against this. @imanavg and @toddmbloom aren't showing despite getting emailed about the posts, but posts by people like @jimjag which are for the pull request are showing up.

@covener Unfortunately that attitude comes across to everyone else as a rather naïve approach on your part to assuming commits by the likes of @royfielding are automatically in the best interest of Apache, which is clearly not the case.

@jimjag Right now Apache is the one that's not abiding by the standards, wheras IE is (or at least is in an arguably grey area). Apache most certainly isn't a "fully compliant, basically reference implementation" by any stretch of the imagination. Trying to take a moral high ground, when the actions of ASF are far worse than any supposed violation of the standard they're claiming to protect, is simply not going to wash.


covener replied Sep 23, 2012

@OscarGodson I do think someone at the ASF can moderate them, but at least one of the those referenced comments is up in the annotated revision section at the top instead of down in the thread.


covener replied Sep 23, 2012

@AndyCadley I don't know what comments you're referring to, but to clarify my lack of interest in arguing about DNT and working groups has nothing to do with how much benefit of the doubt I give to @royfielding or any other contributor.

For @royfielding and anyone at the Apache Foundation.

From the article: 'When the servers controlled by those big companies encounter a DNT=1 header, says Downey, "They have said they will stop serving targeted ads but will still collect and store and monetize data.”'

What a waste of time and resources.

For the paper trail, a new version of the DNT specification has been published today. Determining user preference

A user agent MUST have a default tracking preference of unset (not enabled) unless a specific tracking preference is implied by the decision to use that agent. For example, use of a general-purpose browser would not imply a tracking preference when invoked normally as "SuperFred", but might imply a preference if invoked as "SuperDoNotTrack" or "UltraPrivacyFred". Likewise, a user agent extension or add-on MUST NOT alter the tracking preference unless the act of installing and enabling that extension or add-on is an explicit choice by the user for that tracking preference.

You can check the diff

Well that's another epic @royfielding fail then. The phrase "unless a specific tracking preference is implied by the decision to use that agent" is quite possibly the most woolly and vague statement ever to make it into a specification. What exactly about an agent is supposed to imply a default tracking preference other than unset? As it stands, that's so open to interpretation that choosing a default is effectively up to the vendor.

The biggest irony of that, however, is that it's still entirely nullified by the subsequent paragraph "We do not specify..." so even if the decision to use Internet Explorer isn't enough to imply a different default, the choice screen given during install still means that IE is complying with the standard.

The one and only very clear improvement is in the following paragraph though: "Implementations of HTTP that are not under control of the user MUST NOT generate or modify a tracking preference. " - which now makes it abundantly clear the Apache violates the standards whilst this patch is in place.

"Implied". Never use that word in laws or specs. You never really know what's implied and you can argue either way. Specs should be explicit.

Is there any particular reason why the core of Apache should care about DNT: at all? User tracking outside of the standard access/error logs should be dealt with by the web developers. The CGI/mod_whatever code has access to the user agent and custom headers, and can implement whatever policy is desired including simply not caring about the header from any user agent.

I imagine that long-term, Do-Not-Track will be a waste of time and end up in the same position as the P3P standard, which is all but ignored today. The only "solution" to tracking that I can see at present is going to be passing more legislation like the now-infamous cookie law (Directive 2002/58) around the world and enforcing it properly. The odds of that happening are around nil. (I make no claims as to whether that particular law is a good thing or not, merely that I cannot see why advertisers would voluntarily implement Do-Not-Track on the server end.)

Rob-S replied Oct 6, 2012

The spec is pretty clear (now at least). "The goal of this protocol is to allow a user to express their personal preference regarding tracking to each server and web application that they communicate with ..." "Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

Thanks, Apache for helping keep vendors on track to continue making forward progress. Progress with HTML came to a halt between 1997 and the end of 2010 because some vendor diverged from the standard ( Personal privacy options need to be implemented consistently, or they become useless to the developers.

@Rob-S "Key to that notion of expression is that it MUST reflect the user's preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user's control."

Which it does with IE, unless you happen to be talking to an Apache server, in which case you're getting the choice of the ASF instead.

"Which it does with IE, unless you happen to be talking to an Apache server, in which case you're getting the choice of the ASF instead."
This bad faith is getting tiring. The casual user doesn't bother to review default settings, period. If you don't know it, you should have a walk in that remote thing we call the real world.

Rob-S replied Oct 7, 2012

Prior to IE 10 and Windows 8, that was true, AndyCadley, but Microsoft changed those versions and is taking it upon themselves to set it by default: , By doing that, they have taken away the ability of the server to determine whether the USER has set the option or not, which is the requirement to determine when to disable tracking. In the older versions of IE where the server CAN determine the user's preference, you are not getting the choice of ASF (nor Microsoft's), but rather the user's, per the specs.

MarkRendle - I'm not sure whether or not you were being sarcastic or not regarding my comment about Microsoft going against the standards ... again ;-)

@patheticcockroach If the argument is that the number of people who change the defaults is insignificant (which is probably true) then NOTHING at all represents a user's choice because, in effect, the only choice being made is that of the software provider in the vast majority of cases. You may dislike the way the choice is presented, but the standard explicitly excludes that from its scope.

@Rob-S IE does not have a default. There is an option during install at which the user has to make a choice. And the user is free to subsequently change their mind about that choice as much as they like. User's who are happy to be tracked can indicate to that effect at any point they like, just as user's who'd prefer not to be tracked can. At no point is that decision up to Microsoft. However, what Apache is doing is entirely out of the control of the end-user, the preference is entirely the choice of ASF.

I'm using IE10 right now. I am very aware of what DNT is and what it means. I have actively chosen to have DNT enabled in my browser. Apache is deliberately overriding that choice and making it appear that I don't mind being tracked. In what possible sense is that following the spirit of the standard, let alone the wording?

One thing I have noticed about this patch is that it is in a conf file rather than being in one of the source files. This is down to the administrator of the Apache server this is being installed on to change the conf files accordingly.

As an administrator, it would be nice to see the full list of headers and their meanings to see what else can be fixed, if required.

If something that is supposed to be off by default until a user turns it on, but its on by default - Its broken. Microsoft should fix their broken browser in the next patch release and then Apache wouldn't need to override the user's choices. Its a pity that there isn't a way to tell from the headers that DNT is turned on by the browser or by a human.

sjau replied Oct 8, 2012


For once, Microsoft didn't break anything. A choice is presented by the user and the user accepts it.

The present configuration file has the change present but commented out (3dd6fb6), which should keep most people happy.

@johnfc2012: In terms of Do-Not-Track, the header values are:

DNT: 0: Opt-in to tracking.
DNT: 1: Opt-out of tracking.
No header: Default option, i.e. whatever is done at present. Presumably this means that tracking is enabled.

All of the above assumes that the end server supports DNT, is not wilfully ignoring the header, and that no other rules or laws apply regarding consent to tracking. (DNT: 0 alone is probably not enough to avoid the drop-down cookie prompts that have become popular.)

Second, the DNT standard should not let websites "second-guess" or disregard
user choices. Recently, there were reports about a popular web server
introducing a feature that amounted to overriding the DNT signal; in effect,
ignoring users' wishes. I find that troubling, and undesirable.

Speech Transcript about DNT by European Community VP Neelie Kroes

sjau replied Oct 11, 2012

I daresay that DNT is dead now anyway:

The tracking community still wants to log and track even if you say you don't want to be -

And in the EU seems to think that DNT isn't enough for uniform opt-out of tracking -

Wow! I'm brand new to this world, so for all intent purposes I'm a user not a developer (16 years of Microsoft dev for desktops has taught me none of what I'm now dedicated to learning about web dev).

I want my browser to be intelligent and know what I use it for. The fact that I don't use IE anyway makes this a pretty moot point, but I am a fan of Microsoft still.

My take on the reasoning behind defaulting to a paranoid escape hatch is that Microsoft wants to cut off revenue streams to Google. It's a shortsighted approach and a great way to diminish value in their own browser and possibly even their operating system. The end result is going to be this: [I'm using IE on Windows 8 and having a crappy experience, how do I fix that? I'll download Chrome or FireFox and I won't have this problem.] If Apache is doing anything for Microsoft it's a favor not harm.

All of that said, my 2 cents is that unless you can show how breaking the end users settings whether they chose it or not is going to make communication between the browser and the site work better, then this is a personal vendetta or an architectural vendetta between those who voted to commit and the makers of the browser that it affects. Reading this makes me think that Roy (the guy whose finger pressed the button) has been unfairly singled out. If everyone else on the Apache board bows to Roy then shame on them for being so weak, but stop beating on him as an individual.

The bottom line is that this is transparent, we are lucky to have such transparency, and anyone attacking a person instead of just moving to their preferred server and letting bad products die is wrong in their moral choices. There is no crying in software!

I'm no expert on this but ... Since it's known that a vast majority of folks do not want to be tracked, why don't standards simply say Do Not Track Ever? And then somebody can create an Add On that does track those few folks that do want to be tracked.

@cellardoorstop: Guess what, because no advertising company would implement DNT then.

Please sign in to comment.