- From: Clover Andrew <aclover@1VALUE.com>
- Date: Mon, 20 Mar 2000 09:09:58 +0100
- To: "'www-talk@w3.org'" <www-talk@w3.org>
Antoni Matheu <amatheu@ati.es> wrote: > I think that cookies do not send any information not previously > stored in it, and this information has been available to the server > by other means. There is some risk in that it is not always obvious to whom information is being sent. Specifically, most browsers allow cookies to be sent and received on embedded objects in a web page: frame, object, embed, and image. When a user inputs a URL on www.a.com they are implicitly agreeing that their access can be logged by a.com and may be used for marketing purposes. However, if www.a.com/index.html includes an image stored at images.b.com, the user will unknowingly be allowing b.com to log not only the access to images.b.com, but also, by implication, the original access to www.a.com. If b.com ensures that it has embedded images on a great number of sites, it can use a cookie at images.b.com to tie together accesses to all its partner sites and obtain a detailed report on individuals' browsing habits. more on this: http://www.tiac.net/users/smiths/privacy/banads.htm The solution is to stop browsers from sending cookies to places the user would not expect for the URL they typed. At the moment the best one can do is use Internet Explorer's Zone feature to allow cookies only on a few trusted sites, or turn cookies off in Netscape. The 'prompt on cookies' options tend to be impractical as one is then barraged with cookie requests on many pages, making it tempting to simply say "yes" to get the prompts to go away. It strikes me Microsoft could blackmail DoubleClick for large sums by threatening to set "don't allow cookies from embedded objects" as the default in Internet Explorer. -- Andrew Clover Technical Support 1VALUE.com AG
Received on Monday, 20 March 2000 03:12:50 UTC