[PATCH] Remove deprecated DNT header
Hi, The 'Do Not Track' header has been abandoned by W3C and most major browsers. Very few advertising companies actually supported DNT. https://en.wikipedia.org/wiki/Do_Not_Track Sending this header may actually make Dillo MORE trackable. The attached patch removes it. Regards, Alex
Hi Alex, On Mon, Apr 13, 2026 at 09:09:29AM +0000, a1ex@dismail.de wrote:
Hi,
The 'Do Not Track' header has been abandoned by W3C and most major browsers. Very few advertising companies actually supported DNT.
Yes, that was the case already when it was merged in 2013, but there was the idea that it won't cause harm: commit b2be12828a20c54b325a4f31ca62959ea12f642b Author: corvid <corvid@dillo.org> Date: Sun Sep 15 18:48:13 2013 +0000 DNT will at least do no harm The whole situation is a manifestation of corporate rule, but - it seems that the EU has some data protection laws that could make it worth something in principle there. - some large corporations have been shamed into claiming that they will do a tiny bit of something based on the header value.
https://en.wikipedia.org/wiki/Do_Not_Track
Sending this header may actually make Dillo MORE trackable.
What situation do you have in mind?, is it something that can be measured experimentally? Best, Rodrigo.
Hi Rodrigo, Rodrigo Arias <rodarima@gmail.com> wrote:
The 'Do Not Track' header has been abandoned by W3C and most major browsers. Very few advertising companies actually supported DNT.
Yes, that was the case already when it was merged in 2013, but there was the idea that it won't cause harm:
commit b2be12828a20c54b325a4f31ca62959ea12f642b Author: corvid <corvid@dillo.org> Date: Sun Sep 15 18:48:13 2013 +0000
DNT will at least do no harm
The whole situation is a manifestation of corporate rule, but - it seems that the EU has some data protection laws that could make it worth something in principle there. - some large corporations have been shamed into claiming that they will do a tiny bit of something based on the header value.
At this point I don't think it's reasonable to expect that any corporation will honor it "out of the goodness of their hearts". The industry has moved on to Sec-GPC, which appears to at least have some legal backing to it. Maybe it makes more sense to simply change the DNT header to Sec-GPC? https://en.wikipedia.org/wiki/Global_Privacy_Control Regards, Alex
Hi, On Tue, Apr 14, 2026 at 08:11:14AM +0000, a1ex@dismail.de wrote:
Hi Rodrigo,
Rodrigo Arias <rodarima@gmail.com> wrote:
The 'Do Not Track' header has been abandoned by W3C and most major browsers. Very few advertising companies actually supported DNT.
Yes, that was the case already when it was merged in 2013, but there was the idea that it won't cause harm:
commit b2be12828a20c54b325a4f31ca62959ea12f642b Author: corvid <corvid@dillo.org> Date: Sun Sep 15 18:48:13 2013 +0000
DNT will at least do no harm
The whole situation is a manifestation of corporate rule, but - it seems that the EU has some data protection laws that could make it worth something in principle there. - some large corporations have been shamed into claiming that they will do a tiny bit of something based on the header value.
At this point I don't think it's reasonable to expect that any corporation will honor it "out of the goodness of their hearts".
The industry has moved on to Sec-GPC, which appears to at least have some legal backing to it. Maybe it makes more sense to simply change the DNT header to Sec-GPC?
I think sending the Sec-GPC header by default may be good idea. I suggest adding these two options to control the headers (NO = no header is sent): http_dnt=YES http_sec_gpc=YES However, I don't want to introduce any new features or changes in the HTTP headers for this release as we are already closing the 3.3.0. I reached out to the EFF to ask if they still recommend the DNT header, and see if they can provide more data or details as to why. If there is enough evidence that we should not send DNT, then I don't have any opposition to remove it by default. But I would like to keep it as an option for those users that still want to enable it. Best, Rodrigo.
Hi, On Tue, Apr 14, 2026 at 09:59:56PM +0200, Rodrigo Arias wrote:
I reached out to the EFF to ask if they still recommend the DNT header, and see if they can provide more data or details as to why.
The EFF seem to still encourage it, at least for the Privacy Badger extension:
From Privacy Badger's perspective, the benefits appear to continue to outweigh the costs. Here is the relevant issue:
Best, Rodrigo.
Hi Rodrigo, Rodrigo Arias <rodarima@gmail.com> wrote:
I think sending the Sec-GPC header by default may be good idea. I suggest adding these two options to control the headers (NO = no header is sent):
http_dnt=YES http_sec_gpc=YES
However, I don't want to introduce any new features or changes in the HTTP headers for this release as we are already closing the 3.3.0.
Sounds reasonable, I agree that allowing the user to control these settings is the right way to go. There was a timely article just yesterday which claims that big-tech is outright ignoring GPC signals: https://www.404media.co/google-microsoft-meta-all-tracking-you-even-when-you... Even though some fines have already been issued based on GPC, they seem too small to be a real deterrent, and it just amounts to the 'cost of doing business' for these large corporations. It appears that often they don't even bother to pay the fines, and just tie up the courts for years: https://www.irishtimes.com/business/2026/01/12/data-protection-commission-ow... So, this will remain an uphill battle, and just sending anti-tracking signals will never be a replacement for aggressive privacy-preserving tactics. Thankfully Dillo has one of the best privacy-preserving features available: no javascript! Rembember people, this is a feature, not a bug! Regards, Alex
participants (2)
-
a1ex@dismail.de -
Rodrigo Arias