W3C home > Mailing lists > Public > public-webapi@w3.org > November 2007

Re: XHR: HttpOnly cookies, Security Considerations section

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 23 Nov 2007 11:40:58 +0100
To: "Bjoern Hoehrmann" <derhoermi@gmx.net>, public-webapi@w3.org
Message-ID: <op.t18qmkny64w2qv@annevk-t60.oslo.opera.com>

On Thu, 22 Nov 2007 19:33:27 +0100, Bjoern Hoehrmann <derhoermi@gmx.net>  
wrote:
> It seems the current draft does not discuss HttpOnly cookies and other
> headers that implementations may not want to expose. Can we have a Se-
> curity Considerations section that clarifies that implementations may,
> at their discretion, not expose certain headers, perhaps giving Http-
> Only cookies as an example where that may be desired? I would expect any
> future HttpOnly cookie specification to discuss its relationship with
> XmlHTTPRequest in more detail, so I don't think we should include more
> of it than citing it as example.

I added this:

   http://dev.w3.org/2006/webapi/XMLHttpRequest/#security


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Friday, 23 November 2007 10:41:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT