proposed change to COOKIE-INCLUDE from Lorrie Cranor on 2001-08-01 (www-p3p-policy@w3.org from July 2001)

From: Lorrie Cranor <lorrie@research.att.com>
Date: Tue, 31 Jul 2001 22:16:16 -0400
To: <w3c-p3p-specification@w3.org>, <www-p3p-dev@w3.org>, <www-p3p-policy@w3.org>
Message-ID: <04d401c11a2f$f2731d20$3a06cf87@research.att.com>

The P3P specification working group is considering a change
to seciton 2.3.2.7 of the P3P spec, and we would like feedback
from implementers and web sites. This is the part of the spec
that pertains to COOKIE-INCLUDE and COOKIE-EXCLUDE elements.

The current syntax for COOKIE-INCLUDE looks like:

<META xmlns="http://www.w3.org/2000/12/P3Pv1">
 <POLICY-REFERENCES>
<POLICY-REF about="/P3P/Policy1.xml">
       <COOKIE-INCLUDE>* * *</COOKIE-INCLUDE>
</POLICY-REF>
 </POLICY-REFERENCES>
</META>

The  proposed new syntax looks like:

<META xmlns="http://www.w3.org/2000/12/P3Pv1">
 <POLICY-REFERENCES>
<POLICY-REF about="/P3P/Policy1.xml">
       <COOKIE-INCLUDE
          name="Cookie1"
          value="FOO"
          domain=".example.com"
          path="/servlet"/>
</POLICY-REF>
 </POLICY-REFERENCES>
</META>

This is a change from space-delimeted PCDATA to attributes. In addition
we are proposing to add the ability to match on cookie values, not just
name, domain, and path. This change should make it easier to assign
different policies to cookies based on their values, for example a different
policy to an opt-out cookie than to a userid cookie (even if the same
cookie name is used).

The COOKIE-INCLUDE element would now have four attributes. A COOKIE-INCLUDE
element applies to a given cookie if the values given in the COOKIE-INCLUDE
match the corresponding components of the cookie. The name attribute of
COOKIE-INCLUDE is compared to the NAME portion of the cookie. The value
attribute of COOKIE-INCLUDE is compared to the VALUE portion of the cookie.
The domain attribute is compared to the contents of the domain attribute on
the cookie. The path attribute is compared to the path attribute on the
cookie.

The cookie specification states default values for the domain and path
attributes of cookies; these should be used in the comparison if those
attributes are not found in a specific cookie.

All four attributes of the COOKIE-INCLUDE element are optional. If an
attribute
is absent, the COOKIE include will match cookies that have that attribute
set
to any value.

Please let us know if you have any comments or concerns about this by
August 6. If you find this change particularly useful for you, please let
us know that too.

Lorrie Cranor
P3P Specification Working Group Chair

Received on Tuesday, 31 July 2001 23:02:22 UTC