- From: Jeremey Barrett <jeremey@veriweb.com>
- Date: Fri, 7 Feb 1997 15:37:45 -0800 (PST)
- To: advax@triumf.ca
- CC: www-talk@w3.org
- Cc: jeremey@veriweb.com
-----BEGIN PGP SIGNED MESSAGE----- > On Fri, 7 Feb 1997, Jeremey Barrett wrote: > > > > > The only thing we're talking about is forcing user-agents to by default > > _not_ send cookies to domains which would be excluded from receiving > > them by the normal cookie/domain rules as applied to the _enclosing_ > > document. i.e. ad.doubleclick.net can't get or set a cookie from an > > <img> embedded in a web page on a different site. > > > > Right. Is there some way to differentiate the REFERER of an inline image, > Java Applet, JavaScript routine, etc. from the REFERER of an HTML page, > i.e. the place you just followed a link from. Do we want to require user > agents to figure this out and block sending cookies to a domain that > doesn't match the parent? User-agents should (by default, configurable of course) not allow cookies to be set by (received from) or sent to domains not the "same" as that of the enclosing (main) document. "same" meaning same as defined by the normal cookie rules. Example: I am at http://www.foo.com. I click on a link to http://www.bar.com, The URL http://www.bar.com returns this page: <html> <body> <img src="http://www.jerks.com/cgi-bin/image_cgi"> </body> </html> The idea is to prevent cookies set by www.jerks.com from being allowed in, and to prevent any cookies for www.jerks.com already set from being sent to that img cgi. To decide whether or not to allow cookies, apply the normal cookie/domain rules of www.bar.com to the URL to www.jerks.com. Obviously, they would fail. > > I append a couple of scenarios (apologies to anyone reading this on a > palmtop or ham radio link ...). The first seems clearcut to me - the > user agent does not store the cookie from domain B because it appears > inside a page from domain A . Right. > The second, I'm not so sure about. Blocking cookies sent to > domain C because they are inside a frame from domain A will break C's > legitimate shopping application. In this example, it is less likely that > C's page would be included in many frames than the advertisement banner > in the first one. And then there's Java banners, concealed JavaScript, > etc. > > Thoughts? You second example seems very odd. You have a frameset within a document? If you are fetching another entire HTML document, as you are in a framset, then the cookie rules are applied to that document. (i.e. the rules are applied to each document within the framset individually). HTTP doesn't (and shouldn't) know about HTML. All frames-based documents boil down to your first example at some point. - -- =-----------------------------------------------------------------------= Jeremey Barrett VeriWeb Internet Corp. Senior Software Engineer http://www.veriweb.com/ PGP Key fingerprint = 3B 42 1E D4 4B 17 0D 80 DC 59 6F 59 04 C3 83 64 =-----------------------------------------------------------------------= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBMvu8wS/fy+vkqMxNAQHYdAP/U5q471Q2gcDrMHfDUD80hpxJLyLUx1o/ YbZiHlZRRQyRXw7IAhDlirItaqm4jY+uhpX7XO5sLs4oInZLgU77sjpz3HkXLzAQ eupsaokn7xcEtfhT1XRizOfmWwr7SK3IwcMzcQ2qFoQkJdl+NIaQRaSQgV0+a7eH 0PazbuLQ8ko= =xmjk -----END PGP SIGNATURE-----
Received on Friday, 7 February 1997 18:37:59 UTC