Re: Opting in to cookies - proposal version 3

On Thu, 19 Jun 2008, Jonas Sicking wrote:
> The site is as always responsible for asking the user before allowing 
> third-party access to private data, and yes, if they fail to do so 
> properly they will be vulnerable.

So I guess I don't really understand what your proposal solves, then. It 
seems like a lot of complexity for only a very minimal gain in only one 
very specific scenario (the site doesn't ever return cookie-based data 
cross-site). We're still relying on the author not making mistakes, 
despite "the author will make a mistake" being our underlying assumption. 
If the site has to know to not include the cookie opt-in header, why not 
just have the site ignore the cookies? (It also introduces the problems 
that Maciej mentioned, which I think are valid problems.)

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Friday, 20 June 2008 00:28:38 UTC