W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: Removing CommentURL

From: Jonathan Stark <stark@commerce.net>
Date: Fri, 25 Jul 1997 13:58:14 -0700 (PDT)
Message-Id: <199707252058.NAA18114@boa.commerce.net>
To: valeski@netscape.com
Cc: masinter@parc.xerox.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

>     Although the commentURL attribute would provide a richer context for =
> the cookie to be evaluated in, it is going a step too far.  The comment a=
> ttribute is sufficient to explain a cookie's purpose.  If it is not, the =
> cookie server can provide a url in the comment attribute that the user/UA=
>  can reference for further info. regarding the cookie.  I would consider =
> it bad practice for the url the cookie server sends in the comment attrib=
> ute to contain cookies, but, content providers can obviously do whatever =
> they want.
> 
>     As long as the UA allows for examination of cookies, the user has com=
> plete control over what cookies he keeps. If the user allows a cookie to =
> be set because he didn't have a commentURL available for evaluation befor=
> e accepting the cookie, before he issues another request he can examine h=
> is cookies and visit any url in any comment attribute he wants. If at tha=
> t point the user decides he doesn't want that cookie, he can delete it.

To put any meaningful explanation of what the cookie is used for will
require a small paragraph.  That's a small paragraph in every Comment
header in every document that goes out of most servers that use
cookies.  This is not network friendly.

If you can see the justification for Comment, it should be obvious
that regardless of how it's implemented, CommentURL would be better.
It's much more versatile.

With including a URL in the comment, how likely is it that a user will not 
only be allowed by the browser to open a new browser (presumably before
making a decision about accepting a cookie) but also copy a url off the
screen into the new browser, then look at what it says, and then
make a decision?  (And what are the odds that they'll even get that
cookie policy at the URL without another cookie being sent to them,
and being asked to accept the same cookie?).  How many people
will actually do it?

If you cut CommentURL out, you might as well cut Comment out as well.

Keep CommentURL.

Jonathan
Received on Friday, 25 July 1997 14:04:37 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:49 EDT