W3C home > Mailing lists > Public > public-html-diffs@w3.org > December 2008

spec/Overview.html 1.1688 2517 Mention HTTP-only cookies. (credit: ak)

From: poot <cvsmail@w3.org>
Date: Tue, 2 Dec 2008 19:06:32 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20081202100632.DD7772BC0B@toro.w3.mag.keio.ac.jp>

Mention HTTP-only cookies. (credit: ak) (whatwg r2517)

On getting, if the document is not associated with a browsing context then the user agent must raise an INVALID_STATE_ERR exception. Otherwise, if the sandboxed origin browsing context flag is set on the browsing context of the document, the user agent must raise a SECURITY_ERR exception. Otherwise, if the document's address does not use a server-based naming authority, it must return the empty string. Otherwise, it must return the same string as the value of the Cookie HTTP header it would include if fetching the resource indicated by the document's address over HTTP, as per RFC 2109 section 4.3.4 or later specifications, excluding HTTP-only cookies. [RFC2109] [RFC2965]
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1688.html#sandboxCookies
lastModified
http://people.w3.org/mike/diffs/html5/spec/Overview.1.1688.html#dom-document-lastmodified

http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.1687&r2=1.1688&f=h
http://html5.org/tools/web-apps-tracker?from=2516&to=2517

===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1687
retrieving revision 1.1688
diff -u -d -r1.1687 -r1.1688
--- Overview.html	2 Dec 2008 07:07:09 -0000	1.1687
+++ Overview.html	2 Dec 2008 10:03:51 -0000	1.1688
@@ -4818,7 +4818,7 @@
   authority, it must return the empty string. Otherwise, it must
   return the same string as the value of the <code title="">Cookie</code> HTTP header it would include if <a href=#fetch title=fetch>fetching</a> the resource indicated by <a href=#the-document-s-address>the
   document's address</a> over HTTP, as per RFC 2109 section 4.3.4
-  or later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the document is not associated with a
+  or later specifications, excluding HTTP-only cookies. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the document is not associated with a
   <a href=#browsing-context>browsing context</a> then the user agent must raise an
   <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
   <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> is set on the
@@ -4830,7 +4830,12 @@
   <a href=#fetch>fetch</a> <a href=#the-document-s-address>the document's address</a> over HTTP,
   and had received a response with a <code>Set-Cookie</code> header
   whose value was the specified value, as per RFC 2109 sections 4.3.1,
-  4.3.2, and 4.3.3 or later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible
+  4.3.2, and 4.3.3 or later specifications, but without overwriting
+  the values of HTTP-only cookies. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p class=note>This specification does not define what makes an
+  HTTP-only cookie, and at the time of publication the editor is not
+  aware of any reference for HTTP-only cookies. They are a feature
+  supported by some Web browsers wherein an "<code title="">httponly</code>" parameter added to the cookie string
+  causes the cookie to be hidden from script.<p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible
   across frames, the path restrictions on cookies are only a tool to
   help manage which cookies are sent to which parts of the site, and
   are not in any way a security feature.</p><hr><p>The <dfn id=dom-document-lastmodified title=dom-document-lastModified><code>lastModified</code></dfn>
Received on Tuesday, 2 December 2008 10:10:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 18 December 2010 06:13:57 GMT