- From: Yngve Nysaeter Pettersen <yngve@opera.com>
- Date: Sun, 23 Nov 2008 16:06:09 +0100
- To: "Dan Winship" <dan.winship@gmail.com>, "Bil Corry" <bil@corry.biz>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
On Fri, 21 Nov 2008 14:04:58 +0100, Dan Winship <dan.winship@gmail.com> wrote: > > Bil Corry wrote: >> Over on OWASP's Intrinsic Security list, I brought up that HTTPOnly >> cookies should be better implemented across the major browsers. Jim >> Manico replied that he's been actively trying to get the browsers to >> implement (or better implement) HTTPOnly cookies and it became clear in >> talking with Yngve Pettersen that the lack of a specification for >> HTTPOnly was hindering browser vendors. >> >> Out of that, we started a group to discuss and create the HTTPOnly >> cookie specification. If you're interested in participating, you can >> join here: >> >> http://groups.google.com/group/ietf-httponly-wg > > It seems a little odd to write a specification for the HttpOnly cookie > parameter when there isn't a spec for > cookies-as-they-exist-in-the-real-world in general. > > What would really be useful would be for someone to pull an HTML5 on > cookies, documenting how they are actually parsed (ie, not like the > Netscape spec or either RFC says), how the path and domain parameters > are actually used (ie, not like the Netscape spec or either RFC says), > etc. The Netscape spec and the RFCs (2109, 2965, 2964) specify how cookies are parsed (syntactically), how their arguments are to be interpreted, and how the cookies are to be picked when sending. For the most part there is AFAIK no major, and very few minor differences between the browsers in the processing and picking part. The parsing/interpretation differences that I am aware of between browsers at this time concern mainly what names are permitted (some clients allow cookie names with "$" and space, which is not permitted by any of the specifications, others doesn't), and in the policies for how they prevent malicious sites from setting cookies for domains like co.uk (those are discussed in three of the drafts I have published). None of these will really affect normal and carefully implemented sites. Where there are some major differences, is in the policies for processing third party cookies, which are not a topic in Netscape's spec, and the RFCs specification is not really widely used. But that would in any case be a separate specification. Given that the differences are minor in the area a specification would cover, I do not think it is really necessary with a "real world spec". However, that does not mean that I think the Netscape spec shouldn't be republished as an historical RFC, it just does not have to include too much information about implementation differences. In fact, I think having an historical RFC describing the Netscape spec cookies would be a good thing now that AOL/Netscape have taken that specification offline. But a potential problem with publishing such an RFC is the question who have the rights (copyright) to that specification. In any case, I think an RFC version of that document would require substantial reworking compared to the original before it can be published. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Sunday, 23 November 2008 15:06:46 UTC