- From: Jonathan Stark <stark@commerce.net>
- Date: Tue, 22 Jul 1997 14:57:34 -0700 (PDT)
- To: "David W. Morris" <dwm@xpasc.com>
- Cc: dmk@research.bell-labs.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
David Morris wrote: > > If the user agent allows the user to follow the [CommentURL] link [as > > part of a cookie inspection user interface], it should neither send nor > > accept a cookie until the user has completed the inspection. > > I believe that wording is safe but perhaps too conservative. I think the > only ambiguous case is if the > UA provides access to the CommentURL while the user is being asked whether > or not to accept a cookie. Once a cookie has been stored and the user > is simply reviewing cookies already acquired I can't see any problem > with treating the CommentURL normally. I also don't see any conflict > with sending or receiving already approved cookies with the CommentURL > request. With those arguments in mind, how about the alternative: I think there are potential problems with scripts trying to change existing, already "accepted" cookies, or expiring them, but I think you very gracefully address these issues in your wording below. Looks good. > A potentially confusing situation exists if a user agent's cookie > inspection interface allows a user to follow a CommentURL link > within a dialog which is prompting the user to decide if the cookie > containing the CommentURL is acceptable AND following the CommentURL > link results in receipt of a new, not previously approved cookie. > The useragent MAY discard any cookie received in this context in order > to avoid the complexities of interacting with the user regarding nested > set-cookie requests. Servers which depend on cookies MUST allow for > the possibility that URLs used in their cookie's CommentURL value > will be ignored by user agents. Jonathan
Received on Tuesday, 22 July 1997 15:04:02 UTC