Re: Removing CommentURL from Judson Valeski on 1997-07-27 (ietf-http-wg@w3.org from July to September 1997)

From: Judson Valeski <valeski@netscape.com>
Date: Sun, 27 Jul 1997 12:47:11 -0700
To: "David W. Morris" <dwm@xpasc.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <33DBA5BE.F48B3B73@netscape.com>

David W. Morris wrote:

> What you propose guarantees that users will never look at the information
> about cookies.  How do you expect them to find the information on
> Netscape's or IBM's or Micorsoft's sites. The commentURL provides the
> connection.  Otherwise it's a giant adventure game.

I don't know that I've proposed any "guarantees."  What I was getting at was
that perhaps content providers should be the ones supplying this link to
information about the cookies they're setting. I don't know/care how they
would do it (maybe always having a comment URL hyper-link at the bottom of a
stateful page or something), the point I was making is that maybe it should be
their responsibility, not ours.

Regarding the possibility of further cookies being sent/set when a request for
a comment URL is made...
I would like to reiterate that I would consider it bad practice for a content
provider to associate cookies with a comment URL, but well within their
rights. If a comment URL is designed to describe the cookies associated with
other urls, that should be its only purpose. I see no need to be
sending/setting cookies with a comment URL; doing so unnecessarily opens a can
of worms. However, I consider two reactions to this possibility:

1. Business as usual. If the request to a comment URL is made and a set-cookie
header is in the response, so be it, the UA takes no action and treats the
comment URL like any other. If the user finds himself spinning down a spiral
of cookie approvals via comment URLs, he can enjoy the ride, or get off.

2. No cookies will be sent or set when a comment URL is in question. The UA
knows this given url is a comment URL and doesn't send any cookies with the
request for it, nor does it allow any cookies to be set when receiving the
response.

UA reaction #1 is most likely to be implemented, not because #2 is difficult
by any means, but, because the comment URL is after all simply a url like any
other.

Judson Valeski

Having said that, correct behavior when a request for a comment URL goes out
will to not

>From the UA's perspective I'm inclined

>
>
> Dave Morris

Received on Sunday, 27 July 1997 12:50:31 UTC