W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

HttpOnly

From: Jim Manico <jim@manico.net>
Date: Tue, 18 Mar 2008 07:20:31 +0000
Message-ID: <47DF6D04.2060001@manico.net>
To: ietf-http-wg@w3.org
Are there any efforts underway to support the HttpOnly cookie directive 
within any version of the HTTP Protocol?

The HttpOnly cookie flag, now supported or soon to be supported by all 
major browser vendors, is a significant security enhancement for web 
centric computing. The HttpOnly flag simply prevents JavaScript from 
reading the details of a cookie. In particular, adding this flag to the 
HTTP spec as an /optional/ cookie directive will go a long way in 
assisting in the mitigation of Cross Site Scripting (XSS) and other 
session hijacking attack vectors.

With respect + Best Regards,
Jim Manico
jim.manico@aspectsecurity.com
Application Security Engineer + Web Application Architect
Received on Tuesday, 18 March 2008 09:27:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:37 GMT