Re: RFC2109 addition... from M. Hedlund on 1997-03-25 (ietf-http-wg@w3.org from January to March 1997)

From: M. Hedlund <hedlund@best.com>
Date: Mon, 24 Mar 1997 17:29:41 -0800 (PST)
To: Jonathan Stark <stark@commerce.net>
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.SGI.3.95.970324170333.26447K-100000@shellx.best.com>

Jonathan, thanks for reviewing the RFC.

On Mon, 24 Mar 1997, Jonathan Stark wrote:
> I would like to have a CommentURL which contains the path to comments
> regarding the privacy policies of the site that deal with the cookie.

The potential loop problem (setting a cookie on the cookie information page
-- which you address in your proposed language) is pretty funny. 

I think this suggestion creates UI weirdness -- the proposal seems to
assume that the client can open a second window for review of the policy
before making an accept/decline decision on the cookie.  That may not be
true for, say, a Pilot Web browser, or other limited-UI browsers.  I don't
think it is a reason to reject the proposal, but I do think it is worth
considering.  I would say we might want to recommend that a comment always
accompany a commenturl, so that a limited-UI agent has options.

I like David's point about language negotiation being handled through the
follow-up request, though.  

> I would like this URL to be relative to the URL that issued the cookie,
> unless otherwise specified (as being server relative or fully qualified).

Hm....what if I want to reference the generic eTRUST cookie policy (if such
a thing were to exist) at the eTRUST site?  Then eTRUST could say, "5
million people examined our cookie policy before accepting a cookie this
month, so privacy is important to them."  (My point being that there is
value to centralized policies, and thus absolute commenturls, be they for
privacy advocates or Better Business Bureaus or whatever.) 

> CommentURL=commenturl

How about 
  CommentURL = '<' commenturl '>'

> Optional.  The CommentURL allows an origin server to specify a document
> that explains the usage of this cookie, and could optionally also explain
> the policies governing the use of information collected through this cookie.

Add: "A server SHOULD send a comment if sending a commentURL, for use by
those browsers unable to display the CommentURL contents."

Okay?

> A user-agent can offer the user the option of inspecting this page before
> accepting a cookie.  

Should be: "A user-agent MAY..."

> Any cookies issued while attempting to retrieve the
> document at commenturl should be refused.

Marc Hedlund <hedlund@best.com>

Received on Monday, 24 March 1997 17:35:25 UTC