2004-03-26 · in Ideas · 228 words

Current web browsers deal with cookie privacy by presenting the user with a dialog box when a cookie is sent: the user gets to either accept or reject the cookie. This is annoying because most new sites will cause you to be asked about cookies, even though you don't want to accept them the majority of the time. It is similarly awkward to tell the browser to always reject cookies, because then upon discovering that you do want cookies turned on, you have to find a way of adding an exception, then retrace your steps through the site to find out where the cookie was set.

A better approach would be to have the browser always accept cookies, and to apply an ACL when the cookies were returned to the site. If the user decided they needed cookies to browse a site after all, they could add a rule for that site to the ACL (with an "Allow cookies from current site" button), and from then on the browser would be sending the right cookies. To deal with the cases where this wouldn't work, when a cookie is set, the browser should record what page it came from; the user could then easily return to that page by picking the cookie from a list. Users who want to always accept cookies would just make "accept" the default action.