W3C home > Mailing lists > Public > public-html@w3.org > December 2008

document.cookie and HTTPOnly

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 02 Dec 2008 10:06:51 +0100
To: "HTML WG" <public-html@w3.org>
Message-ID: <op.uli19pj364w2qv@annevk-t60.oslo.opera.com>

http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#dom-document-cookie  
currently does not take HTTPOnly into account. There should at least be a  
note there that the user agent may not always reveal all cookies the  
Cookie header contains. Likewise, HTTPOnly cookies are not be overwritten  
by script.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 2 December 2008 09:07:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:27 GMT