W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: Re[2]: Unverifiable Transactions / Cookie draft

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Tue, 18 Mar 97 17:02:42 EST
Message-Id: <9703182202.AA27031@aleatory>
To: Eric_Holstege@broder.com
Cc: http-wg@cuckoo.hpl.hp.com
Eric_Holstege@broder.com (Eric Holstege) wrote:
  > Perhaps I am misunderstanding this issue, but it seems to me that these are the
  > facts:
  > 
  > 1) DoubleClick etc. use cookies to track users across domains
  > 2) This allows small sites to participate in selling ad space by just including
  > inline image URLs that point to DoubleClick's ad server
  > 3) THIS permits small sites to generate ad revenue by merely adding some HTML to
  > their pages
  > 4) The current cookie spec prevents this scheme
  > 5) DoubleClick, et al can continue to do what they do now, BUT they will need
  > their member sites to run a CGI script that they would provide to track users.
  > [...]

Just to be clear about point (4):  the cookie spec does not *prevent*
unverifiable transactions (the kind of transaction DoubleClick uses).
The spec says (4.3.5):

    This restriction prevents a malicious service author from using
    unverifiable transactions to induce a user agent to start or continue a
    session with a server in a different domain.  The starting or
    continuation of such sessions could be contrary to the privacy
    expectations of the user, and could also be a security problem.

    User agents may offer configurable options that allow the user agent, or
    any autonomous programs that the user agent executes, to ignore the
    above rule, so long as these override options default to ``off.''

In other words, unverifiable transactions are allowed, but a user has
to take an active step to enable them.

Dave Kristol
Received on Tuesday, 18 March 1997 14:14:29 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:31 EDT