- From: David W. Morris <dwm@xpasc.com>
- Date: Mon, 24 Mar 1997 16:40:24 -0800 (PST)
- To: Jonathan Stark <stark@commerce.net>
- Cc: http-wg@cuckoo.hpl.hp.com
On Mon, 24 Mar 1997, Jonathan Stark wrote: > Here's a first crack at the text as I feel it should be included in the > RFC: > > -- > CommentURL=commenturl > Optional. The CommentURL allows an origin server to specify a document > that explains the usage of this cookie, and could optionally also explain > the policies governing the use of information collected through this cookie. > A user-agent can offer the user the option of inspecting this page before > accepting a cookie. Any cookies issued while attempting to retrieve the > document at commenturl should be refused. I have been working thru a similar idea before presenting it ... BUT thus far my thought is that there shouldn't be any restrictions on what the URL points at, associated cookies, etc. except that we need to work thru the rules to make sure a privacy hole isn't created... but I think if the rules are that retrieving this URL is like following any other link then I don't think there are any new exposures. (That is the cookie issued by this link would have to fit the URL being retrieved.) THis has the additional advantage in that language issues can be handled via normal UA / server negotiation. A suggested UI for an UA able to do so would be to open a new browser window to follow the link. Dave Morris
Received on Monday, 24 March 1997 16:42:24 UTC