Re: FW: revised trusted cookie spec from Larry Masinter on 1997-08-19 (ietf-http-wg@w3.org from July to September 1997)

From: Larry Masinter <masinter@parc.xerox.com>
Date: Tue, 19 Aug 1997 00:37:32 PDT
To: Foteos Macrides <MACRIDES@sci.wfbr.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-state@lists.research.bell-labs.com
Message-Id: <33F94D3C.AC922E15@parc.xerox.com>

>         What will it take to get across that "privacy" is not the only
> issue here, nor necessarily a central one when a commentURL is sought
> to assist in making a decision?

First, privacy considerations were the primary motivation for initially
disallowing cookies in the first place, and then adding Comment and then
CommentURL as a way for letting users conditionally accept cookies. If
you're now claiming that privacy considerations are not the central
issue for whether a user might want to view the resource pointed to by a
commentURL, well, what is?

If there were other more important considerations, they weren't part
of the justification used to get the working group to go down this
particular rathole. I understand completely that you have other things
that you would like to ask content providers to tell you about
their content and cookies. But if the browser makers mainly don't
implement it, or if the users don't usually use it (even if the
browser makers do implement it) then the content providers won't
provide it, no matter how carefully we add the provisions.

Secondly, if there are any other factors for which users might want
some kind of conditional compliance, then these are also protocol
elements with which the mechanisms of conditional compliance should
be consistent. Right now, users choose 'accept Java' and 'load images'
using different dialogs and browser options, and there is no protocol 
element that lets users decide whether they want to allow Java code. 
Should there be a "comment" or "commentURL" associated with each 
element of Java, so that I could conditionally decide whether I want 
to allow a site's Java to execute on my machine, based on a decision 
of whether it is 'essential' or 'purely decorative'?

>       Also, it would be inside Set-Cookie2.  The Big Two are free to
> continue using just Set-Cookie.

If the makers of an overwhelming percentage of the deployed
software for web browsing don't intend to show Comment or CommentURL
data during cookie-choosing, then why in the world would any significant
number of content providers ever bother providing them? It just
makes no sense.

Larry

Received on Tuesday, 19 August 1997 00:43:30 UTC