W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: Opting in to cookies - proposal version 3

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 20 Jun 2008 00:16:43 +0000 (UTC)
To: Jonas Sicking <jonas@sicking.cc>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0806200010360.13974@hixie.dreamhostps.com>

On Thu, 19 Jun 2008, Jonas Sicking wrote:
> 
> The site is as always responsible for asking the user before allowing 
> third-party access to private data, and yes, if they fail to do so 
> properly they will be vulnerable.

So I guess I don't really understand what your proposal solves, then. It 
seems like a lot of complexity for only a very minimal gain in only one 
very specific scenario (the site doesn't ever return cookie-based data 
cross-site). We're still relying on the author not making mistakes, 
despite "the author will make a mistake" being our underlying assumption. 
If the site has to know to not include the cookie opt-in header, why not 
just have the site ignore the cookies? (It also introduces the problems 
that Maciej mentioned, which I think are valid problems.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 20 June 2008 00:28:38 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:26 GMT