W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

Re: HTTPOnly Cookies Specification

From: Dan Winship <dan.winship@gmail.com>
Date: Fri, 21 Nov 2008 08:04:58 -0500
Message-ID: <4926B1FA.4080008@gmail.com>
To: Bil Corry <bil@corry.biz>
CC: HTTP Working Group <ietf-http-wg@w3.org>

Bil Corry wrote:
> Over on OWASP's Intrinsic Security list, I brought up that HTTPOnly cookies should be better implemented across the major browsers.  Jim Manico replied that he's been actively trying to get the browsers to implement (or better implement) HTTPOnly cookies and it became clear in talking with Yngve Pettersen that the lack of a specification for HTTPOnly was hindering browser vendors.
> Out of that, we started a group to discuss and create the HTTPOnly cookie specification.  If you're interested in participating, you can join here:
> 	http://groups.google.com/group/ietf-httponly-wg

It seems a little odd to write a specification for the HttpOnly cookie
parameter when there isn't a spec for
cookies-as-they-exist-in-the-real-world in general.

What would really be useful would be for someone to pull an HTML5 on
cookies, documenting how they are actually parsed (ie, not like the
Netscape spec or either RFC says), how the path and domain parameters
are actually used (ie, not like the Netscape spec or either RFC says), etc.

-- Dan
Received on Friday, 21 November 2008 13:05:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:47 UTC