W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: call for reviewers: XMLHttpRequest Last Call

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 08 Dec 2009 11:37:04 +0100
To: "Adam Barth" <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>
Cc: "Thomas Roessler" <tlr@w3.org>, public-web-security@w3.org
Message-ID: <op.u4l7r2tl64w2qv@anne-van-kesterens-macbook.local>
On Sun, 06 Dec 2009 17:38:05 +0100, Adam Barth <w3c@adambarth.com> wrote:
> On Sun, Dec 6, 2009 at 8:19 AM, sird@rckc.at <sird@rckc.at> wrote:
>> 3.- Do you really want to return to the user ALL http headers with
>> getAllResponseHeaders? think on Set-Cookie + httpOnly
>
> I believe most (all?) implementations block returning Set-Cookie
> headers with HttpOnly cookies.  If the spec doesn't say this, it's out
> of step with common practice.

RTFS? ;-)


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 8 December 2009 10:37:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT