- From: Judson Valeski <valeski@netscape.com>
- Date: Fri, 25 Jul 1997 15:56:10 -0700
- To: stark@commerce.net
- Cc: masinter@parc.xerox.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Jonathan Stark wrote: > > Although the commentURL attribute would provide a richer context for = > > the cookie to be evaluated in, it is going a step too far. The comment a= > > ttribute is sufficient to explain a cookie's purpose. If it is not, the = > > cookie server can provide a url in the comment attribute that the user/UA= > > can reference for further info. regarding the cookie. I would consider = > > it bad practice for the url the cookie server sends in the comment attrib= > > ute to contain cookies, but, content providers can obviously do whatever = > > they want. > > > > As long as the UA allows for examination of cookies, the user has com= > > plete control over what cookies he keeps. If the user allows a cookie to = > > be set because he didn't have a commentURL available for evaluation befor= > > e accepting the cookie, before he issues another request he can examine h= > > is cookies and visit any url in any comment attribute he wants. If at tha= > > t point the user decides he doesn't want that cookie, he can delete it. > > To put any meaningful explanation of what the cookie is used for will > require a small paragraph. That's a small paragraph in every Comment > header in every document that goes out of most servers that use > cookies. This is not network friendly. > The comment a= > ttribute is sufficient to explain a cookie's purpose. If it is not, the = > cookie server can provide a url in the comment attribute that the user/UA=> can reference for further info. regarding the cookie.Also, once users realize that they're spending time reading small paragraphs about cookies, they'll realize how unobtrusive and uninteresting the information in the cookie is to them, and stop reading about specific cookies altogether, thus rendering the commentURL obsolete anyway. > If you can see the justification for Comment, it should be obvious > that regardless of how it's implemented, CommentURL would be better. > It's much more versatile. > With including a URL in the comment, how likely is it that a user will not > only be allowed by the browser to open a new browser (presumably before > making a decision about accepting a cookie) but also copy a url off the > screen into the new browser, then look at what it says, and then > make a decision? The user would have to look at what the commentURL says and make a decision anyway. > (And what are the odds that they'll even get that > cookie policy at the URL without another cookie being sent to them, > and being asked to accept the same cookie?). How many people > will actually do it? Not many. But no-one said the UA wouldn't parse the comment attribute, realize there's a url in in and provide essentially the same functionality the commentURL would provide. There would be no copying and pasting. > If you cut CommentURL out, you might as well cut Comment out as well. I don't agree here. A cookie should have some means for describing its purpose (the comment attribute). Judson
Received on Friday, 25 July 1997 15:58:36 UTC