W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

Re: HTTPOnly Cookies Specification

From: David Morris <dwm@xpasc.com>
Date: Sat, 22 Nov 2008 19:48:55 -0800 (PST)
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.33.0811221939250.303-100000@egate.xpasc.com>


The flaw in this proposal is the assumption that web application builders
will be satisfied with the restrictions imposed by this flag and hence use
it.

I suspect that with the ever increasing level of highly interactive
content achieved with JavaScript, that this flag will be ignored and hence
valueless as a general solution.

More appropriate would be to spend the effort designing a solid security
model which allows JavaScript (and other active content) access to
cookies, but only within the appropriate security rules.

Dave Morris
Received on Sunday, 23 November 2008 03:50:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:57 GMT