Re: errata for cookie spec from Benjamin Franz on 1997-02-06 (ietf-http-wg@w3.org from January to March 1997)

From: Benjamin Franz <snowhare@netimages.com>
Date: Thu, 6 Feb 1997 08:56:26 -0800 (PST)
To: Koen Holtman <koen@win.tue.nl>
Cc: Fisher Mark <FisherM@is3.indy.tce.com>, dmk@research.bell-labs.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, www-talk@w3.org
Message-Id: <Pine.LNX.3.95.970206083347.26263B-100000@ns.viet.net>

On Thu, 6 Feb 1997, Koen Holtman wrote:

> Fisher Mark:
> [...]
> >I think this is a little strong.  I would prefer something like: 'By 
> >default, user agents MUST NOT allow the setting of cookies on inlined or 
> >embedded objects if the enclosing document and the inlined or embedded 
> >object would be precluded from directly sharing a cookie by the other domain 
> >exclusion rules.
> 
> Something very much like that is already in the spec: see section
> 
>   4.3.5  Sending Cookies in Unverifiable Transactions
> 
> Or am I missing some subtle point here?

I overlooked that. Ummmm...Wordy and confusingly written, but it does seem
to try and say pretty much the same thing. I think a weasel interpretation
could still manage to say that it allows setting cookies without asking on
inlined objects though.  The problem comes from this sentence in 4.3.5: 

   When it makes an unverifiable transaction, a user agent must enable a
   session only if a cookie with a domain attribute D was sent or received
   in its origin transaction, such that the host name in the Request-URI
   of the unverifiable transaction domain-matches D.

By saying 'sent or received' instead of 'set' or 'accepted' it opens the
door to arguing that 'a cookie was sent or received' even if it wasn't
accepted (Yes, it is a perverse interpretation. But it appears to be
possible.) A direct statement would be better. No cookies allowed on
inlined or embedded objects if the object resides in a different domain
than the domains the enclosing document could otherwise share cookies
with. This avoids the issue entirely. Best of all: It clearly qualifies as
clarification of the existing statement in 4.3.5 to prevent
mis-interpretation. :) 

I think 4.3.5 should be condensed to a more direct statement. By spreading
it out over 5 paragraphs talking about 'verifiable' and 'unverifiable'
transactions, rather than a bullet sentence, its point gets lost - and
provides opportunities for 'spec lawyering'. 

-- 
Benjamin Franz

Received on Thursday, 6 February 1997 09:20:30 UTC