Re: LAST CALL, "HTTP State Management Mechanism (Rev1) " to Propo

David Morris wrote:

> > If the user agent allows the user to follow the [CommentURL] link [as
> > part of a cookie inspection user interface], it should neither send nor
> > accept a cookie until the user has completed the inspection.
> I believe that wording is safe but perhaps too conservative. I think the
> only ambiguous case is if the
> UA provides access to the CommentURL while the user is being asked whether
> or not to accept a cookie. Once a cookie has been stored and the user
> is simply reviewing cookies already acquired I can't see any problem 
> with treating the CommentURL normally. I also don't see any conflict
> with sending or receiving already approved cookies with the CommentURL
> request. With those arguments in mind, how about the alternative:

I think there are potential problems with scripts trying to change
existing, already "accepted" cookies, or expiring them, but I think
you very gracefully address these issues in your wording below.
Looks good.

>    A potentially confusing situation exists if a user agent's cookie
>    inspection interface allows a user to follow a CommentURL link
>    within a dialog which is prompting the user to decide if the cookie
>    containing the CommentURL is acceptable AND following the CommentURL
>    link results in receipt of a new, not previously approved cookie.
>    The useragent MAY discard any cookie received in this context in order
>    to avoid the complexities of interacting with the user regarding nested
>    set-cookie requests.  Servers which depend on cookies MUST allow for
>    the possibility that URLs used in their cookie's CommentURL value
>    will be ignored by user agents.


Received on Tuesday, 22 July 1997 15:04:02 UTC