- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 08 Dec 2009 11:37:04 +0100
- To: "Adam Barth" <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>
- Cc: "Thomas Roessler" <tlr@w3.org>, public-web-security@w3.org
On Sun, 06 Dec 2009 17:38:05 +0100, Adam Barth <w3c@adambarth.com> wrote: > On Sun, Dec 6, 2009 at 8:19 AM, sird@rckc.at <sird@rckc.at> wrote: >> 3.- Do you really want to return to the user ALL http headers with >> getAllResponseHeaders? think on Set-Cookie + httpOnly > > I believe most (all?) implementations block returning Set-Cookie > headers with HttpOnly cookies. If the spec doesn't say this, it's out > of step with common practice. RTFS? ;-) -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 8 December 2009 10:37:47 UTC