W3C home > Mailing lists > Public > public-html-comments@w3.org > December 2008

Re: document.cookie and HTTPOnly

From: Bil Corry <bil@corry.biz>
Date: Fri, 12 Dec 2008 11:14:27 -0600
Message-ID: <49429BF3.9050007@corry.biz>
To: public-html-comments@w3.org

Bil Corry wrote on 12/2/2008 12:48 PM: 
> On Tue, 2 Dec 2008, Ian Hickson wrote:
>> On Tue, 2 Dec 2008, Anne van Kesteren wrote:
>>> http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#dom-document-cookie
>>> currently does not take HTTPOnly into account. There should at
>>> least be a note there that the user agent may not always reveal all
>>> cookies the Cookie header contains. Likewise, HTTPOnly cookies are
>>> not be overwritten by script.
>> Done. Let me know if there's a reference I can use...
> Currently, there isn't a reference for HTTPOnly.  There's a small group of us working on creating one, but we're still hammering out the scope:
> 	http://groups.google.com/group/ietf-httponly-wg
> Once we have a draft put together, I'll pass it along.  And of course, if anyone here is interested in joining the discussion on HTTPOnly, we're open to more input.

Just an update, we have a draft of the HTTPOnly scope now available to review:


If you have an active interest in participating, our list is here:


- Bil
Received on Friday, 12 December 2008 17:16:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:25 UTC