- From: Lorrie Cranor <lorrie@cs.cmu.edu>
- Date: Sat, 7 Feb 2004 16:23:20 -0500
- To: Giles Hogben <giles.hogben@jrc.it>
- Cc: 'public-p3p-spec' <public-p3p-spec@w3.org>
On Feb 7, 2004, at 4:34 AM, Giles Hogben wrote: > > >>> Here are the latest suggested changes (the guidelines text has >> changed >>> quite >>> a lot so please check): >>> >>> Text for 2.3.2.7. >>> ----------------- >>> Add: >>> User agents evaluating cookies SHOULD apply the results of a >> preference> match on the cookie's policy before setting the cookie. >> >> How about >> >> User agents that evaluate cookie polices SHOULD perform this >> evaluation >> before setting a cookie. > > This does not convey the advice. that the cookie should not be saved > if it doesn't match the user's preferences. I'm not sure we want to say that. A user might specify, for example, that cookies that don't match their preferences should be converted to session cookies rather than deleted altogether. Also, I could imagine a user agent that gives users the option of storing rejected cookies in a separate place for later analysis or inspection. So I think we should make the point that cookies should be evaluated before set time. But I'm not sure we want to specify what should happen as a result of that evaluation. We could say: User agents that evaluate cookie policies SHOULD perform this evaluation before setting a cookie so that the cookie can be discarded without being set if that is what is dictated by the user's preferences. > > (Thanks for the other comments, don't have time this week to reply as > I am travelling...) > >> >> >>> >>> Text for guidelines >>> ------------------- >>> Certain jurisdictions view the storage of cookies on a user's >> hard >>> drive as >>> an act of data processing. In such jurisdictions (e.g. the EU), >>> policies >>> should always be evaluated before a cookie is set and cookies >> should >>> not be >>> stored unless the cookie's policy is found to comply with the > user's >>> preferences. >> >> In my mail on Issue 1 I had suggested a section called "Timing of >> Notices to Users"... now I'm thinking the section should be >> "Timing of >> Policy Evaluation and Notice to Users" ... then we can include >> this >> paragraph at the end of that section. >> >> >> >>> >>> ------------------------------------- >>> Giles Hogben >>> European Commission Joint Research Centre >>> Institute for the Protection and Security of the Citizen >> Cybersecurity> New technologies for Combatting Fraud Unit >>> TP 267 >>> Via Enrico Fermi 1 >>> Ispra >>> 21020 VA >>> Italy >>> >>> giles.hogben@jrc.it >>> tel:+390332789187 >>> fax:+390332789576 >>> >>> >> >> >
Received on Saturday, 7 February 2004 16:22:44 UTC