PING: Recommend clearing persistent device IDs when clearing cookies

[alvestrand]

From Nick Doty:

"To say that such an identifier MUST persist across browsing sessions is a guarantee that the requirement won't be satisfied. Many users, for example, configure their browsers to delete all cookies on closing the browser. How about:

"Identifiers MAY be persisted across browsing sessions. Persistent identifiers let the application save, identify the availability of, and directly request specific sources."

Any site that assumes that identifiers will persist will set themselves up for failure (for example, when the user clears cookies); the spec should not encourage that false assurance."

The spec isn't clear that the IDs should be cleared together with cookies. It should be.

[mhofman]

How is this different than what was solved in #219 ?

[mhofman]

Since deviceId may persist across browsing sessions and to reduce its potential as a fingerprinting mechanism, deviceId is to be treated as other persistent storage mechanisms such as cookies [COOKIES]. User agents must reset per-origin device identifiers when other persistent storages are cleared.

[alvestrand]

OK, spec is now clear (as of Aug 20). Closing.