W3C home > Mailing lists > Public > www-talk@w3.org > January to February 1997

Re: errata for cookie spec

From: Jeremey Barrett <jeremey@veriweb.com>
Date: Fri, 7 Feb 1997 15:37:45 -0800 (PST)
Message-Id: <199702072337.PAA27205@descartes.veriweb.com>
To: advax@triumf.ca
CC: www-talk@w3.org
Cc: jeremey@veriweb.com

> On Fri, 7 Feb 1997, Jeremey Barrett wrote:
> > 
> > The only thing we're talking about is forcing user-agents to by default
> > _not_ send cookies to domains which would be excluded from receiving
> > them by the normal cookie/domain rules as applied to the _enclosing_
> > document. i.e. ad.doubleclick.net can't get or set a cookie from an
> > <img> embedded in a web page on a different site.
> > 
> Right. Is there some way to differentiate the REFERER of an inline image,
> Java Applet, JavaScript routine, etc. from the REFERER of an HTML page, 
> i.e. the place you just followed a link from. Do we want to require user 
> agents to figure this out and block sending cookies to a domain that 
> doesn't match the parent?

User-agents should (by default, configurable of course) not allow cookies
to be set by (received from) or sent to domains not the "same" as that of
the enclosing (main) document. "same" meaning same as defined by the
normal cookie rules. Example:

I am at http://www.foo.com. I click on a link to http://www.bar.com,
The URL http://www.bar.com returns this page:

<img src="http://www.jerks.com/cgi-bin/image_cgi">

The idea is to prevent cookies set by www.jerks.com from being allowed
in, and to prevent any cookies for www.jerks.com already set from
being sent to that img cgi. To decide whether or not to allow cookies,
apply the normal cookie/domain rules of www.bar.com to the URL to
www.jerks.com. Obviously, they would fail.

> I append a couple of scenarios (apologies to anyone reading this on a 
> palmtop or ham radio link ...). The first seems clearcut to me - the 
> user agent does not store the cookie from domain B because it appears
> inside a page from domain A .


> The second, I'm not so sure about. Blocking cookies sent to
> domain C because they are inside a frame from domain A will break C's 
> legitimate shopping application. In this example, it is less likely that
> C's page would be included in many frames than the advertisement banner
> in the first one. And then there's Java banners, concealed JavaScript, 
> etc.
> Thoughts?

You second example seems very odd. You have a frameset within a document?

If you are fetching another entire HTML document, as you are in a framset,
then the cookie rules are applied to that document. (i.e. the rules are
applied to each document within the framset individually). HTTP doesn't
(and shouldn't) know about HTML. All frames-based documents boil down to 
your first example at some point.

- -- 
Jeremey Barrett                                  VeriWeb Internet Corp.
Senior Software Engineer                         http://www.veriweb.com/

PGP Key fingerprint =  3B 42 1E D4 4B 17 0D 80  DC 59 6F 59 04 C3 83 64

Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

Received on Friday, 7 February 1997 18:37:59 UTC

This archive was generated by hypermail 2.4.0 : Monday, 20 January 2020 16:08:21 UTC