- From: Koen Holtman <koen@win.tue.nl>
- Date: Thu, 6 Feb 1997 17:19:04 +0100 (MET)
- To: Fisher Mark <FisherM@is3.indy.tce.com>
- Cc: dmk@research.bell-labs.com, snowhare@netimages.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-talk@w3.org
Fisher Mark: [...] >I think this is a little strong. I would prefer something like: 'By >default, user agents MUST NOT allow the setting of cookies on inlined or >embedded objects if the enclosing document and the inlined or embedded >object would be precluded from directly sharing a cookie by the other domain >exclusion rules. Something very much like that is already in the spec: see section 4.3.5 Sending Cookies in Unverifiable Transactions Or am I missing some subtle point here? [...] >BTW, the silent rejection of cookies, esp. by domain name, is a good idea. I think this idea is covered by the suggestions in the spec. Some slightly off-topic information: if you edit your netscape preferences file to read ACCEPT_COOKIE: 2 then NS will apparantly reject cookies without asking (I have not tried this, but I read it in the risk digest.. A commercial product which allows rejection by domain name (called PGPcookie.cutter) has been announced. Also, extending a proxy to provide cookie filtering services is trivial, and if someone has not done it already, someone will do it soon. (I did it myself actually, but not in an industrial strength proxy implementation.) >Mark Leighton Fisher Thomson Consumer Electronics Koen.
Received on Thursday, 6 February 1997 08:36:08 UTC