W3C home > Mailing lists > Public > public-webapi@w3.org > November 2007

XHR: HttpOnly cookies, Security Considerations section

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 22 Nov 2007 19:33:27 +0100
To: public-webapi@w3.org
Message-ID: <4kibk3paoh3jeclmo611ncucs8ifrqhc2g@hive.bjoern.hoehrmann.de>

Hi,

  It seems the current draft does not discuss HttpOnly cookies and other
headers that implementations may not want to expose. Can we have a Se-
curity Considerations section that clarifies that implementations may,
at their discretion, not expose certain headers, perhaps giving Http-
Only cookies as an example where that may be desired? I would expect any
future HttpOnly cookie specification to discuss its relationship with
XmlHTTPRequest in more detail, so I don't think we should include more
of it than citing it as example.

regards,
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Thursday, 22 November 2007 18:40:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT