W3C home > Mailing lists > Public > public-html-comments@w3.org > December 2008

Re: document.cookie and HTTPOnly

From: Bil Corry <bil@corry.biz>
Date: Tue, 02 Dec 2008 12:48:22 -0600
Message-ID: <493582F6.5090004@corry.biz>
To: public-html-comments@w3.org

On Tue, 2 Dec 2008, Ian Hickson wrote:
> On Tue, 2 Dec 2008, Anne van Kesteren wrote:
>> 
>> http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#dom-document-cookie
>> currently does not take HTTPOnly into account. There should at
>> least be a note there that the user agent may not always reveal all
>> cookies the Cookie header contains. Likewise, HTTPOnly cookies are
>> not be overwritten by script.
> 
> Done. Let me know if there's a reference I can use...

Currently, there isn't a reference for HTTPOnly.  There's a small group of us working on creating one, but we're still hammering out the scope:

	http://groups.google.com/group/ietf-httponly-wg

Once we have a draft put together, I'll pass it along.  And of course, if anyone here is interested in joining the discussion on HTTPOnly, we're open to more input.


- Bil
Received on Tuesday, 2 December 2008 18:49:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 1 June 2011 00:13:59 GMT