Craig Francis


Browser Cookies

This is in regards with the "cookie law" coming into effect.

As it stands it will require every website to handle cookies in their own way (so every website visitor will need to learn how to use each websites cookie settings).

It's been mentioned several times that it should be the browser which handles this, so you have a consistent experience for all websites.

But should there be some way for website authors to instruct the browser (via something like an XML file) what the cookies are for? Then any cookie not specified in the file could be ignored (when you, as a developer or individual who values their privacy, instructs the browser to enforce the use of these files).

I was thinking something along the lines of:

<?xml version="1.0" encoding="UTF-8"?>
<site>
<cookies>
<policy>
<p>Our policy on cookies includes...</p>
</policy>
<cookie required="required">
<name>session</name>
<description>Allows you to stay logged in on this website.</description>
</cookie>
<cookie required="required">
<name>csrf</name>
<description>To protect you against security attacks known as a "Cross-Site Request Forgery".</description>
</cookie>
<cookie>
<name>username</name>
<description>If you login and return to this website at a later date, we can pre-fill the username field.</description>
</cookie>
<cookie domain="google-analytics.com">
<name>__utma</name>
<name>__utmb</name>
<name>__utmc</name>
<name>__utmz</name>
<description>Allows us to view statistics on visitors, and improve our website based on this information.</description>
</cookie>
<cookie domain="www.third-party-website.com" path="/sub/folder/">
<name>ref</name>
<description>When coming from Third Party, we can pay them commission from any orders you place.</description>
</cookie>
</cookies>
<localStorage>
...
</localStorage>
<sessionStorage>
...
</sessionStorage>
<urls>
<!-- Based on SiteMaps -->
<url>
<loc>http://www.example.com/</loc>
<lastmod>2001-01-01</lastmod>
<changefreq>monthly</changefreq>
<priority>0.8</priority>
</url>
</urls>
</site>

Notice that only 2 of these cookies are marked as "required", and that I also included the third party cookies (if the "domain" is not specified the browser assumes the current domain).

Then you can link to this file with a <meta> tag on every page... with a default path of "/site.xml" at the root of the domain? perhaps in the same way that "sitemap.xml" works.

But then again, I'm still waiting for a logout feature in any browser when you use HTTP auth (let alone being able to login with multiple accounts at the same time).

Any feedback would be greatly appreciated, I don't include comments due to the admin time required, but if you email me, I will reply and make appropriate updates. Also, if you would like to take a copy of this article, please read the terms this article is released under. This article was originally written Wednesday 18th May 2011.