- From: Dave Kristol <dmk@research.bell-labs.com>
- Date: Tue, 22 Jul 97 16:28:02 EDT
- To: dwm@xpasc.com
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Dave Morris and others have pretty consistently supported the inclusion of a CommentURL attribute in Set-Cookie2. I was in the process of editing that capability in for the next draft when I ran into the following puzzle: how to express the general idea that no cookies should be sent or received during the inspection process. Here's an illustration of the problem. I send a request to foo.com and get back a cookie that contains CommentURL="http://foo.com/cookie-policy.html". I'm given the option to inspect that CommentURL, so I do so. The HTML could potentially have images in it, even links to images on advertising networks. It could also have links to other pages on foo.com. If I follow those links (all while supposedly inspecting the cookie policy), I get deeper and deeper into the site. All the while cookie handling should be disabled, right? How does it get re-enabled? Does this wording express it adequately?: If the user agent allows the user to follow the [CommentURL] link [as part of a cookie inspection user interface], it should neither send nor accept a cookie until the user has completed the inspection. Dave Kristol
Received on Tuesday, 22 July 1997 13:35:26 UTC