- From: Foteos Macrides <MACRIDES@sci.wfbr.edu>
- Date: Mon, 18 Aug 1997 15:37:34 -0500 (EST)
- To: masinter@parc.xerox.com
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-state@lists.research.bell-labs.com
Larry Masinter <masinter@parc.xerox.com> wrote: >At the HTTP working group meeting, I took off my "virtual" chair's hat >and put on a "opinionated working group member" hat, and ranted about >commentURLs. I want to extend that rant: > >I'm opposed to commentURLs in cookies. >I'm opposed to comment strings in cookies. >I'm opposed to trusted cookies, too. > >I believe that we should recommend "browsers should not return >cookies to sites that are not trusted with private information" >and that trust can be established using a variety of means: >(a) the site sent you the cookie (b) you have some other way of >establishing a site's privacy policy. > >Establishing the privacy policy might be accomplished by >using a PICS-Label or by obtaining it via some other link, >having the privacy rating INSIDE THE DOCUMENT that contains >the links ("we assert that this document only links to sites >with the following privacy policy") or any of a variety of >means outside the HTTP protocol. > >But assertions of privacy policies do not belong *inside* the >state management mechanism. This self-avowed opinionated rant is invalid because it retains the myopic view that the commentURL is simply for legalistic statements about a site's privacy policy. Please read the actual draft: CommentURL="http_URL" Optional. Because cookies can be used to derive or store private ^^^^^^^^ information about a user, the CommentURL attribute alows an origin server to document how it intends to use the cookie. The user can ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ inspect the information identified by the URL to decide whether to initiate or continue a session with this cookie. ^^^^^^^^^^^ Statements such as "This cookie maintains your display preferences.", or "This cookie servers as a shopping cart.", or "This cookie performs trade secrets which cannot be revealed to you.", or "This cookie serves solely to track you from here to eternity." would be more helpful, not simply for decisions on whether to accept a cookie, but even more importantly for decisions during "clean ups" or cookie replacements due to limited resources -- and their inclusion is "Optional." Providers should not be prevented from making such information available in a manner which allows charset/language negotiation and via a simple, consistent UA mechanism, rather than requiring users to hunt around in unspecified documents for it, with no assurance that what's said in some such documents applies to a particular cookie. You are trying to block something which has been discussed at length already, is wanted by some implementors, and need not be used by those who don't want it. In your own immortal words, "Please stop!" :) :) Fote ========================================================================= Foteos Macrides Worcester Foundation for Biomedical Research MACRIDES@SCI.WFBR.EDU 222 Maple Avenue, Shrewsbury, MA 01545 =========================================================================
Received on Monday, 18 August 1997 12:44:45 UTC