[Prev][Next][Index][Thread]
Re: errata for cookie spec
Benjamin, you wrote:
>This needs to be strengthened. This is *ALREADY* a major problem,
>with a number of 'banner services' such as 'doubleclick.com' currently
>exploiting inlined images to track people across domains. Perhaps
>something like 'User agents MUST NOT allow the setting of cookies
>on inlined or embeded objects if the enclosing document and the inlined or
>embedded object would be precluded from directly sharing a cookie by the
>other domain exclusion rules.' should be added to 4.3.2.
I think this is a little strong. I would prefer something like: 'By
default, user agents MUST NOT allow the setting of cookies on inlined or
embedded objects if the enclosing document and the inlined or embedded
object would be precluded from directly sharing a cookie by the other domain
exclusion rules. User agents SHOULD allow turning off this option for the
cases where cross-domain cookie sharing is appropriate.' (Off hand, I don't
know of any cases of appropriate cross-domain cookie sharing, but these may
come up in an Intranet environment.)
BTW, the silent rejection of cookies, esp. by domain name, is a good idea.
======================================================================
Mark Leighton Fisher Thomson Consumer Electronics
fisherm@indy.tce.com Indianapolis, IN
Follow-Ups: