W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: LAST CALL, "HTTP State Management Mechanism (Rev1) " to Propo

From: Jonathan Stark <stark@commerce.net>
Date: Tue, 22 Jul 1997 14:57:34 -0700 (PDT)
Message-Id: <199707222157.OAA22007@boa.commerce.net>
To: "David W. Morris" <dwm@xpasc.com>
Cc: dmk@research.bell-labs.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

David Morris wrote:

> > If the user agent allows the user to follow the [CommentURL] link [as
> > part of a cookie inspection user interface], it should neither send nor
> > accept a cookie until the user has completed the inspection.
> 
> I believe that wording is safe but perhaps too conservative. I think the
> only ambiguous case is if the
> UA provides access to the CommentURL while the user is being asked whether
> or not to accept a cookie. Once a cookie has been stored and the user
> is simply reviewing cookies already acquired I can't see any problem 
> with treating the CommentURL normally. I also don't see any conflict
> with sending or receiving already approved cookies with the CommentURL
> request. With those arguments in mind, how about the alternative:

I think there are potential problems with scripts trying to change
existing, already "accepted" cookies, or expiring them, but I think
you very gracefully address these issues in your wording below.
Looks good.

>    A potentially confusing situation exists if a user agent's cookie
>    inspection interface allows a user to follow a CommentURL link
>    within a dialog which is prompting the user to decide if the cookie
>    containing the CommentURL is acceptable AND following the CommentURL
>    link results in receipt of a new, not previously approved cookie.
>    The useragent MAY discard any cookie received in this context in order
>    to avoid the complexities of interacting with the user regarding nested
>    set-cookie requests.  Servers which depend on cookies MUST allow for
>    the possibility that URLs used in their cookie's CommentURL value
>    will be ignored by user agents.

Jonathan
Received on Tuesday, 22 July 1997 15:04:02 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:49 EDT