W3C home > Mailing lists > Public > public-html@w3.org > December 2008

Re: document.cookie and HTTPOnly

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 2 Dec 2008 10:03:59 +0000 (UTC)
To: Anne van Kesteren <annevk@opera.com>
Cc: HTML WG <public-html@w3.org>
Message-ID: <Pine.LNX.4.62.0812021000380.17401@hixie.dreamhostps.com> 

On Tue, 2 Dec 2008, Anne van Kesteren wrote:
> 
> http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#dom-document-cookie 
> currently does not take HTTPOnly into account. There should at least be 
> a note there that the user agent may not always reveal all cookies the 
> Cookie header contains. Likewise, HTTPOnly cookies are not be 
> overwritten by script.

Done. Let me know if there's a reference I can use...

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 2 December 2008 10:10:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:40:24 GMT