W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

Re: HTTPOnly Cookies Specification

From: Bil Corry <bil@corry.biz>
Date: Fri, 21 Nov 2008 08:42:44 -0600
Message-ID: <4926C8E4.3090503@corry.biz>
To: HTTP Working Group <ietf-http-wg@w3.org>

Dan Winship wrote on 11/21/2008 7:04 AM: 
> It seems a little odd to write a specification for the HttpOnly cookie
> parameter when there isn't a spec for
> cookies-as-they-exist-in-the-real-world in general.

Yngve Pettersen has been working on Cookies v2 -- although he isn't trying to document "cookies-as-they-exist-in-the-real-world":

	http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-03.txt

The reason for the separate spec is because both Mozilla and WebKit are actively working on their implementations of HTTPOnly, and our goal is to help guide them in implementing HTTPOnly in a common way that provides the best security.

We're not opposed to merging our work into a larger cookie spec, but if you're envisioning something beyond what Yngve is actively working on, then it should include his work as well.  Yngve suggested it may be appropriate to resurrect the http-state-wg list if there was enough interest.


- Bil
Received on Friday, 21 November 2008 14:43:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:57 GMT