W3C home > Mailing lists > Public > public-webapi@w3.org > June 2008

[XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest

From: eric bing <eric.bing@oracle.com>
Date: Fri, 06 Jun 2008 15:18:32 -0700
Message-ID: <4849B7B8.4050303@oracle.com>
To: public-webapi@w3.org
CC: Jim Manico <jim@manico.net>

Apologies for the late comments - I belatedly realized the close of 
comments on this was June 3.

I've been discussing some of this internally within Oracle USA and 
within the OWASP mail lists, and would like to make a suggestion.

We're very happy with the mention in the April 15th spec:
/Apart from requirements affecting security made throughout this 
specification implementations /may/, at their discretion, not expose 
certain headers, such as HttpOnly cookies.//
/http://dev.w3.org/2006/webapi/XMLHttpRequest/#security

However, we'd like to see even stronger language here.  We think it 
should be *recommended *or even better yet *required *that 
XMLHttpRequest not see these headers of HttpOnly cookies.   The fact 
that XMLHTTPRequest can currently see these cookies greatly undermines 
the security value of this flag. 

Thanks,
Eric Bing,
Senior Director, Application Product Security
Oracle USA
Received on Saturday, 7 June 2008 16:32:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 7 June 2008 16:32:52 GMT