Overview
Trusted Server hard-wires several request-time decisions (how the Edge Cookie identity is minted, how a request is classified for the bot gate, how geolocation is resolved) and gates Edge Cookie creation on a country rule baked into the core. This epic makes each capability a configuration-selected provider behind a small trait, with neutral defaults that make no host-specific call, and replaces the baked-in gate with a technical permission model.
Privacy is a spectrum, not a binary, and Trusted Server is technology that is neutral on policy. Different deployers operate under different laws and run different policies, so it is the deployer who decides how to configure the stack. This work provides the mechanisms and respects the deployer's choices, rather than deciding on their behalf. The default deployment makes no host-specific call, creates no identifiers, and resolves no location until an operator enables these features via a provider. The existing providers are retained.
The permission model: separating legal policy from the core
The Trusted Server core does not encode any jurisdiction's law or any single policy. Instead, a provider declares the technical permissions its data use requires, and the core runs the provider only when those permissions are held.
How a permission becomes held is established outside the core, from one or more sources (permission providers):
- (a) Country, when known. Resolved from the country a geo provider returns, keyed by ISO 3166-1, with a fail-closed fallback when no country is identified. This fallback might be the country that the website operator is based in, or a global default.
- (b) Interaction with the user. A publisher may interact with the user to establish their preference. This is the publisher's choice and need not be driven by a legal requirement. A publisher may do it because they want to, not only because a law requires it.
- (c) Data provided from another source. For example a browser extension, or a person's profile provided by an external service.
The permission vocabulary uses the IAB TCF Europe purpose set only as technical identifiers. No policy framework is implemented in the core. Trusted Server provides the mechanism to establish and check permissions, and the deployer brings the policy that decides how permissions are established and what they permit. The model is source-agnostic. It gates on whether a permission is held, not on how it was established, so the sources above plug into the same mechanism.
Tasks
Delivered by a single neutral-providers PR, which closes each task on merge.
Related
Overview
Trusted Server hard-wires several request-time decisions (how the Edge Cookie identity is minted, how a request is classified for the bot gate, how geolocation is resolved) and gates Edge Cookie creation on a country rule baked into the core. This epic makes each capability a configuration-selected provider behind a small trait, with neutral defaults that make no host-specific call, and replaces the baked-in gate with a technical permission model.
Privacy is a spectrum, not a binary, and Trusted Server is technology that is neutral on policy. Different deployers operate under different laws and run different policies, so it is the deployer who decides how to configure the stack. This work provides the mechanisms and respects the deployer's choices, rather than deciding on their behalf. The default deployment makes no host-specific call, creates no identifiers, and resolves no location until an operator enables these features via a provider. The existing providers are retained.
The permission model: separating legal policy from the core
The Trusted Server core does not encode any jurisdiction's law or any single policy. Instead, a provider declares the technical permissions its data use requires, and the core runs the provider only when those permissions are held.
How a permission becomes held is established outside the core, from one or more sources (permission providers):
The permission vocabulary uses the IAB TCF Europe purpose set only as technical identifiers. No policy framework is implemented in the core. Trusted Server provides the mechanism to establish and check permissions, and the deployer brings the policy that decides how permissions are established and what they permit. The model is source-agnostic. It gates on whether a permission is held, not on how it was established, so the sources above plug into the same mechanism.
Tasks
Delivered by a single neutral-providers PR, which closes each task on merge.
Related