W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: LAST CALL, "HTTP State Management Mechanism (Rev1) " to Propo

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Tue, 22 Jul 97 16:28:02 EDT
Message-Id: <9707222028.AA12918@zp>
To: dwm@xpasc.com
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Dave Morris and others have pretty consistently supported the inclusion
of a CommentURL attribute in Set-Cookie2.  I was in the process of
editing that capability in for the next draft when I ran into the
following puzzle:  how to express the general idea that no cookies
should be sent or received during the inspection process.

Here's an illustration of the problem.  I send a request to foo.com and
get back a cookie that contains
CommentURL="http://foo.com/cookie-policy.html".  I'm given the option
to inspect that CommentURL, so I do so.  The HTML could potentially
have images in it, even links to images on advertising networks.  It
could also have links to other pages on foo.com.  If I follow those
links (all while supposedly inspecting the cookie policy), I get deeper
and deeper into the site.  All the while cookie handling should be
disabled, right?  How does it get re-enabled?

Does this wording express it adequately?:

If the user agent allows the user to follow the [CommentURL] link [as
part of a cookie inspection user interface], it should neither send nor
accept a cookie until the user has completed the inspection.

Dave Kristol
Received on Tuesday, 22 July 1997 13:35:26 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:49 EDT