- From: Fisher Mark <FisherM@is3.indy.tce.com>
- Date: Thu, 06 Feb 97 09:59:00 EST
- To: Dave Kristol <dmk@research.bell-labs.com>, Benjamin Franz <snowhare@netimages.com>
- Cc: HTTP Working Group <http-wg@cuckoo.hpl.hp.com>, www-talk <www-talk@w3.org>
Benjamin, you wrote: >This needs to be strengthened. This is *ALREADY* a major problem, >with a number of 'banner services' such as 'doubleclick.com' currently >exploiting inlined images to track people across domains. Perhaps >something like 'User agents MUST NOT allow the setting of cookies >on inlined or embeded objects if the enclosing document and the inlined or >embedded object would be precluded from directly sharing a cookie by the >other domain exclusion rules.' should be added to 4.3.2. I think this is a little strong. I would prefer something like: 'By default, user agents MUST NOT allow the setting of cookies on inlined or embedded objects if the enclosing document and the inlined or embedded object would be precluded from directly sharing a cookie by the other domain exclusion rules. User agents SHOULD allow turning off this option for the cases where cross-domain cookie sharing is appropriate.' (Off hand, I don't know of any cases of appropriate cross-domain cookie sharing, but these may come up in an Intranet environment.) BTW, the silent rejection of cookies, esp. by domain name, is a good idea. ====================================================================== Mark Leighton Fisher Thomson Consumer Electronics fisherm@indy.tce.com Indianapolis, IN
Received on Thursday, 6 February 1997 09:53:44 UTC