Re: LAST CALL, "HTTP State Management Mechanism (Rev1) " to Propo
Dave Kristol (dmk@research.bell-labs.com)
Tue, 22 Jul 97 16:28:02 EDT
Dave Morris and others have pretty consistently supported the inclusion
of a CommentURL attribute in Set-Cookie2. I was in the process of
editing that capability in for the next draft when I ran into the
following puzzle: how to express the general idea that no cookies
should be sent or received during the inspection process.
Here's an illustration of the problem. I send a request to foo.com and
get back a cookie that contains
CommentURL="http://foo.com/cookie-policy.html". I'm given the option
to inspect that CommentURL, so I do so. The HTML could potentially
have images in it, even links to images on advertising networks. It
could also have links to other pages on foo.com. If I follow those
links (all while supposedly inspecting the cookie policy), I get deeper
and deeper into the site. All the while cookie handling should be
disabled, right? How does it get re-enabled?
Does this wording express it adequately?:
If the user agent allows the user to follow the [CommentURL] link [as
part of a cookie inspection user interface], it should neither send nor
accept a cookie until the user has completed the inspection.
Dave Kristol