logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: Apache 2.4.3 overrides IE10 do-not-track setting
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Sat 08 Sep '12 19:37    Post subject: Apache 2.4.3 overrides IE10 do-not-track setting Reply with quote

Some Buzz around about Do Not Track (DNT) and IE10,

see CNET: http://news.cnet.com/8301-1023_3-57508351-93/apache-web-software-overrides-ie10-do-not-track-setting/

From the Changelog of Apache 2.4.3:
*) httpd.conf: Added configuration directives to set a bad_DNT environment
variable based on User-Agent and to remove the DNT header field from
incoming requests when a match occurs. This currently has the effect of
removing DNT from requests by MSIE 10.0 because it deliberately violates
the current specification of DNT semantics for HTTP. [Roy T. Fielding]


Microsoft's new browser IE10 is set by default to tell advertisers not to track user behavior on the Web, but now Apache 2.4.3 has become a new obstacle to that Microsoft approach.

The following is added to the httpd.conf in 2.4.3 to bypass DNT:
Code:
# Deal with user agents that deliberately violate open standards
#
<IfModule setenvif_module>
BrowserMatch "MSIE 10.0;" bad_DNT
</IfModule>
<IfModule headers_module>
RequestHeader unset DNT env=bad_DNT
</IfModule>
By removing this lines in httpd.conf there is no bypass.

So if you do want that your users protection/privacy is not bypassed by Apache 2.4.3 remove that lines.

Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Mon 10 Sep '12 18:06    Post subject: Reply with quote

There is a discussion if that patch is against EU law. Let's wait and see Wink
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 10 Sep '12 19:48    Post subject: Reply with quote

In the Apache bug tracker a discussion and a proposed patch to the bypass, see https://issues.apache.org/bugzilla/show_bug.cgi?id=53845

Steffen
Back to top
maskego



Joined: 16 Apr 2010
Posts: 238

PostPosted: Wed 12 Sep '12 2:50    Post subject: Reply with quote

Hope this will be fixed at apache 2.4.4 at asf
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Wed 12 Sep '12 3:57    Post subject: Reply with quote

maskego, it's a change in the config, in httpd.conf. You can fix yourself by removing the lines shown above. If you did not redo your config from 2.4.1 or 2, chances are you do not have it in the first place. If mod_headers isn't loaded, it's not taking effect. Last but not least, it only affects IE10.

I think there's a little sensationalism in the CNET article. Does the config change just because the version upgrades from Maj.Min.Revision to Maj.Min.Rev+1? I do not know about Linux but on Windows it doesn't.

CNET wrote:
As a result of the Apache update, Web servers using the software will ignore DNT settings for people using IE10.


CNET makes it sound like every Apache out there on the web is going to start doing it that day, which is not so.

Personally, I'm all for DNT and having it "On" by default. Do I think it will work to begin with .... no, there's no way to enforce it is being adhered to by the people wanting to do the tracking. You just have to have faith it is .. and in this day and age that's pretty foolish.

I agree that Apache shouldn't be the spec police, but it has been in other areas for some time now and that probably will not change anytime soon.

I'd be curious to know how many people here are using IE10 since Windows 8 Retail has not been released to the general public yet and I do not see them pushing me to upgrade to IE10 yet either. Microsoft has 2 months to figure it out and fix it on their end (eg. Asking every user separately what they want it set to). I hope they do this because if they do not, the trackers are just going to ignore the DNT across the board.
Back to top
maskego



Joined: 16 Apr 2010
Posts: 238

PostPosted: Wed 12 Sep '12 7:18    Post subject: Reply with quote

yep.I remove those lines from httpd.conf.
Back to top


Reply to topic   Topic: Apache 2.4.3 overrides IE10 do-not-track setting View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout