- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 26 Jun 2013 06:32:08 -0700
- To: Ronan Heffernan <ronansan@gmail.com>
- Cc: Nicholas Doty <npdoty@w3.org>, "Mike O'Neill" <michael.oneill@baycloud.com>, "public-tracking@w3.org public-tracking@w3.org" <public-tracking@w3.org>
On Jun 26, 2013, at 4:06 AM, Ronan Heffernan wrote: > I agree that any attempt to manipulate out-of-band via an in-band mechanism is a problem. Regarding in-band UGE, however, cookies seem like a poor way to store those exceptions, since cookies get cleared so often. My assumption is that the UGE will never be implemented in practice in a way that is consistently usable across browsers and capable of being trusted by servers. Hence, my bar is relatively low. However, I didn't say that browsers would be required to implement them as normal cookies or let them be reset like cookies. The Cookie protocol would simply be used for their communication, which has the benefit of being backwards compatible with older browsers that do not implement any form of exceptions. A newer browser could choose to process and store these cookies separately from the normal cookie store (or simply protect them from being reset) if longevity is desired by the UA. Note, however, that it is very likely that the tools which currently reset cookies will be updated to also reset anything else that looks like client-side state, including whatever we define for a UGE, so the notion that UGEs are somehow more persistent than cookies is unlikely to hold up long, even if the browsers implement them according to the spec. ....Roy
Received on Wednesday, 26 June 2013 13:32:32 UTC