Re: Comment-URL question from Dave Kristol on 1997-07-28 (ietf-http-wg@w3.org from July to September 1997)

From: Dave Kristol <dmk@bell-labs.com>
Date: Mon, 28 Jul 1997 18:15:54 -0400
To: hardie@nic.nasa.gov
Cc: "David W. Morris" <dwm@xpasc.com>, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <33DD1A13.15B4@bell-labs.com>

Ted Hardie wrote:
> [...]
> Minimally, the user-agent must be able to deal with the situation in
> which a comment-url is present but the site is unreachable or very
> slow.  What, in particular, does it do with its connection to the
> cookie-providing site?  If there is a user and she has requested to
> approve cookies, does it close the connection until approval? If not,
> can it or should it prevent the connection from closing, and if so,
> what would be the best method for doing so?  A HEAD against the
> requested resource to make sure it has not changed?  If the server
> closes the connection during this processing, should a client continue
> to try to reach the comment-url site and gain acceptance, or should it
> present an error?  What happens if the user accepts the policy but,
> upon reconnect, a different cookie is presented?  (In general, once a
> policy has been approved for a specific resource, should a UA consider
> it in force if the same URL is visited, even if a different cookie is
> presented, provided the same policy is referenced?  That may seem like
> a no-brainer, but the first view of a cookie at a site may show much
> less than a view twenty items into the shopping basket later.  When
> should someone be asked to re-view the policy and cookie?)
> [...]

The CommentURL mechanism assists the user in making a decision.  With
that in mind, the answer to your questions is, I think, the UA tells the
user what happened.  If we're talking about an inspection mechanism at
"the port of entry" (when a cookie accompanies a new page and before the
user has viewed the page), the user probably has a choice of whether or
not to accept the cookie.  Examining the comment URL is a way for the
user to make an informed choice.  If the UA reports it can't fetch the
CommentURL, the user still has that choice, just with less information
than s/he hoped for.

Assuming a sophisticated enough cookie inspection mechanism that would
let the user select cookie inspection behavior on a per-site basis, the
user can decide whether or not to inspect each cookie from a given site
as it arrives.  If, after looking at the first cookie from a site, the
user decides not to inspect each one, I would expect him/her still to be
able to inspect the cookies in the cookie jar later.

I think the only guard against a site that describes cookie policy one
way in one place and differently elsewhere is social pressure.  I don't
think the UA should try to guard against it.

Dave Kristol

Received on Monday, 28 July 1997 15:17:58 UTC