W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: errata for cookie spec

From: Fisher Mark <FisherM@is3.indy.tce.com>
Date: Thu, 06 Feb 97 09:59:00 EST
To: Dave Kristol <dmk@research.bell-labs.com>, Benjamin Franz <snowhare@netimages.com>
Cc: HTTP Working Group <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>, www-talk <www-talk@www10.w3.org>
Message-Id: <32F9F140@MSMAIL.INDY.TCE.COM>

Benjamin, you wrote:
>This needs to be strengthened. This is *ALREADY* a major problem,
>with a number of 'banner services' such as 'doubleclick.com' currently
>exploiting inlined images to track people across domains. Perhaps
>something like 'User agents MUST NOT allow the setting of cookies
>on inlined or embeded objects if the enclosing document and the inlined or
>embedded object would be precluded from directly sharing a cookie by the
>other domain exclusion rules.' should be added to 4.3.2.

I think this is a little strong.  I would prefer something like: 'By 
default, user agents MUST NOT allow the setting of cookies on inlined or 
embedded objects if the enclosing document and the inlined or embedded 
object would be precluded from directly sharing a cookie by the other domain 
exclusion rules.  User agents SHOULD allow turning off this option for the 
cases where cross-domain cookie sharing is appropriate.'  (Off hand, I don't 
know of any cases of appropriate cross-domain cookie sharing, but these may 
come up in an Intranet environment.)

BTW, the silent rejection of cookies, esp. by domain name, is a good idea.
======================================================================
Mark Leighton Fisher                   Thomson Consumer Electronics
fisherm@indy.tce.com                   Indianapolis, IN
Received on Thursday, 6 February 1997 07:18:07 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:26 EDT