- From: Dan Winship <dan.winship@gmail.com>
- Date: Fri, 21 Nov 2008 08:04:58 -0500
- To: Bil Corry <bil@corry.biz>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
Bil Corry wrote: > Over on OWASP's Intrinsic Security list, I brought up that HTTPOnly cookies should be better implemented across the major browsers. Jim Manico replied that he's been actively trying to get the browsers to implement (or better implement) HTTPOnly cookies and it became clear in talking with Yngve Pettersen that the lack of a specification for HTTPOnly was hindering browser vendors. > > Out of that, we started a group to discuss and create the HTTPOnly cookie specification. If you're interested in participating, you can join here: > > http://groups.google.com/group/ietf-httponly-wg It seems a little odd to write a specification for the HttpOnly cookie parameter when there isn't a spec for cookies-as-they-exist-in-the-real-world in general. What would really be useful would be for someone to pull an HTML5 on cookies, documenting how they are actually parsed (ie, not like the Netscape spec or either RFC says), how the path and domain parameters are actually used (ie, not like the Netscape spec or either RFC says), etc. -- Dan
Received on Friday, 21 November 2008 13:05:38 UTC