Re: errata for cookie spec

Fisher Mark:
>I think this is a little strong.  I would prefer something like: 'By 
>default, user agents MUST NOT allow the setting of cookies on inlined or 
>embedded objects if the enclosing document and the inlined or embedded 
>object would be precluded from directly sharing a cookie by the other domain 
>exclusion rules.

Something very much like that is already in the spec: see section

  4.3.5  Sending Cookies in Unverifiable Transactions

Or am I missing some subtle point here?

>BTW, the silent rejection of cookies, esp. by domain name, is a good idea.

I think this idea is covered by the suggestions in the spec.

Some slightly off-topic information: if you edit your netscape preferences
file to read
then NS will apparantly reject cookies without asking (I have not tried
this, but I read it in the risk digest..  A commercial product which allows
rejection by domain name (called PGPcookie.cutter) has been announced.
Also, extending a proxy to provide cookie filtering services is trivial, and
if someone has not done it already, someone will do it soon.  (I did it
myself actually, but not in an industrial strength proxy implementation.)

>Mark Leighton Fisher                   Thomson Consumer Electronics


Received on Thursday, 6 February 1997 08:36:08 UTC