W3C NOTE-PICS-cookie-extension-971023  

PICS Extension for HTTP Cookies

Cookie Information 1.0

PICS 1.1 Extension

Submitted to W3C on 23 October 1997

Latest version:
This version:
Daniel Jaye, djaye@engagetech.com

Status of this document

This document is a NOTE made available by the W3 Consortium for discussion only. This indicates no endorsement of its content, nor that the Consortium has, is, or will be allocating any resources to the issues addressed by the NOTE.

This document is a submission to W3C from Engage Technologies, Inc. Please see <http://www.w3.org/Submission/>Acknowledged Submissions to W3C regarding its disposition.

Comments on this document should be sent to <djaye@engagetech.com>.


This document defines an extension to the PICS-1.1 label format to allow labels to refer to specific HTTP cookies.   The extension is referenced in the IETF internet draft: <ftp://ietf.org/internet-drafts/draft-ietf-http-jaye-trust-state-01.txt> Trust Mechanism for State Management.  The purpose of this extension and the internet draft is to allow PICS rating systems to provide information about the server practices with regard to HTTP cookies.  In particular, this extension can be used to apply the principles of the P3P project to address privacy concerns about HTTP cookies.


The W3C is currently addressing many of the issues concerning user privacy as part of the P3P project.  In addition, the IETF has encountered privacy issues with regard to the use of HTTP cookies as a state management mechanism.  An internet draft has been submitted to the IETF to provide a mechanism for web sites to communicate to user agents their privacy practices with respect to HTTP cookies.

PICS Label headers (which may be digitally signed according to the DSig Specification) were seen as the ideal mechanism for labeling the privacy practices.  However, a need was determined to be able to associate a PICS Label header with specific cookies in the same server response.  This extension is proposed to provide that association.

Cookie Information Extension

The goal of the cookie block (cookieinfo) extension is to provide an association between the PICS label and one or more HTTP cookies.  The cookieinfo extension builds upon the PICS 1.1 for and gen options to provide this link. Specifically, the cookieinfo extension provides a mechanism for enumerating the HTTP cookie names to which the label applies. The for and gen options are used to determine compatibility with the domain and path attributes of the cookie as described in <ftp://ietf.org/internet-drafts/draft-ietf-http-jaye-trust-state-01.txt>Trust Mechanism for State Management. In addition, the cookie block indicates that this label applies to cookies in the response header and not to the URI being requested.   If no cookie names are enumerated, then the label applies to all cookies compatible with the for and gen options. 

Usage notes:

Detailed Syntax of the Cookieinfo Extension in a PICS 1.1 label

The following syntax of the cookieinfo extension is written in modified BNF. By convention, '*' indicates 0 or more instances of the token that precedes the special character, '*1' indicates 0 or 1 instance of the token, and '+' indicates 1 or more instances of the token. The Quoted strings are case sensitive but other literal elements are case insensitive.

cookieinfo-ext ::= 'extension 
    ( mandatory "http://www.w3.org/PICS/extensions/cookieinfo-1_0.html"' cookiename*  ')' 
cookiename     ::= as defined in 
   <ftp://ietf.org/internet-drafts/draft-ietf-http-state-man-mec-04.txt> State Management Mechanism (Rev1).
   each cookiename should be quoted to be compliant with the PICS Specification.


The following example shows a valid cookieinfo extension is applied to a http cookie named "custid":

   extension ( mandatory "http://www.w3.org/PICS/extensions/cookieinfo-1_0.html" "custid" )

In this example, we begin with the extension ( mandatory tokens which identify this extension as an mandatory extension to the PICS label within which it is contained. This declaration is followed by a URL, http://www.w3.org/PICS/extensions/cookieinfo-1_0.html, which provides a unique name for the extension. De-referencing the URL provides human readable information on the extension. Finally we have a quoted cookie name value indicating the specific http cookie to which the label applies.