W3C home > Mailing lists > Public > public-p3p-spec@w3.org > February 2004

Re: Art 10: Issue 3 - cookies

From: Lorrie Cranor <lorrie@cs.cmu.edu>
Date: Sat, 7 Feb 2004 16:23:20 -0500
Message-Id: <DA94838A-59B3-11D8-9EB3-000A95DA3F5A@cs.cmu.edu>
Cc: 'public-p3p-spec' <public-p3p-spec@w3.org>
To: Giles Hogben <giles.hogben@jrc.it>

On Feb 7, 2004, at 4:34 AM, Giles Hogben wrote:

>
>
>>> Here are the latest suggested changes (the guidelines text has
>> changed
>>> quite
>>> a lot so please check):
>>>
>>> Text for 2.3.2.7.
>>> -----------------
>>> Add:
>>> User agents evaluating cookies SHOULD apply the results of a
>> preference> match on the cookie's policy before setting the cookie.
>>
>> How about
>>
>> User agents that evaluate cookie polices SHOULD perform this
>> evaluation
>> before setting a cookie.
>
> This does not convey the advice. that the cookie should not be saved
> if it doesn't match the user's preferences.

I'm not sure we want to say that. A user might specify, for example, 
that cookies that don't match their preferences should be converted to 
session cookies rather than deleted altogether. Also, I could imagine a 
user agent that gives users the option of storing rejected cookies in a 
separate place for later analysis or inspection. So I think we should 
make the point that cookies should be evaluated before set time. But 
I'm not sure we want to specify what should happen as a result of that 
evaluation. We could say:

User agents that evaluate cookie policies SHOULD perform this 
evaluation before setting a cookie so that the cookie can be discarded 
without being set if that is what is dictated by the user's 
preferences.




>
> (Thanks for the other comments, don't have time this week to reply as
> I am travelling...)
>
>>
>>
>>>
>>> Text for guidelines
>>> -------------------
>>> Certain jurisdictions view the storage of cookies on a user's
>> hard
>>> drive as
>>> an act of data processing. In such jurisdictions (e.g. the EU),
>>> policies
>>> should always be evaluated before a cookie is set and cookies
>> should
>>> not be
>>> stored unless the cookie's policy is found to comply with the
> user's
>>> preferences.
>>
>> In my mail on Issue 1 I had suggested a section called "Timing of
>> Notices to Users"... now I'm thinking the section should be
>> "Timing of
>> Policy Evaluation and Notice to Users" ... then we can include
>> this
>> paragraph at the end of that section.
>>
>>
>>
>>>
>>> -------------------------------------
>>> Giles Hogben
>>> European Commission Joint Research Centre
>>> Institute for the Protection and Security of the Citizen
>> Cybersecurity> New technologies for Combatting Fraud Unit
>>> TP 267
>>> Via Enrico Fermi 1
>>> Ispra
>>> 21020 VA
>>> Italy
>>>
>>> giles.hogben@jrc.it
>>> tel:+390332789187
>>> fax:+390332789576
>>>
>>>
>>
>>
>
Received on Saturday, 7 February 2004 16:22:44 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 17 March 2004 17:46:29 EST