W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: [XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 12 Jun 2008 14:04:36 +0200
To: "eric bing" <eric.bing@oracle.com>, public-webapps@w3.org
Cc: "Jim Manico" <jim@manico.net>
Message-ID: <op.ucmw5y1m64w2qv@annevk-t60.oslo.opera.com>

Note: due to the wonders of W3C process we now have a new mailing list,  
public-webapps. I cc'ed it on this e-mail.

On Sat, 07 Jun 2008 00:18:32 +0200, eric bing <eric.bing@oracle.com> wrote:
> Apologies for the late comments - I belatedly realized the close of
> comments on this was June 3.

That's ok. Technical comments are _always_ welcome. (Though they may not  
always impact the transition to CR or some other level, of course.)


> I've been discussing some of this internally within Oracle USA and
> within the OWASP mail lists, and would like to make a suggestion.
>
> We're very happy with the mention in the April 15th spec:
> /Apart from requirements affecting security made throughout this
> specification implementations /may/, at their discretion, not expose
> certain headers, such as HttpOnly cookies.//
> /http://dev.w3.org/2006/webapi/XMLHttpRequest/#security
>
> However, we'd like to see even stronger language here.  We think it
> should be *recommended *or even better yet *required *that
> XMLHttpRequest not see these headers of HttpOnly cookies.   The fact
> that XMLHTTPRequest can currently see these cookies greatly undermines
> the security value of this flag.

I very much agree, but given that nobody has defined cookies yet in  
sufficient detail making this a hard requirement is not really feasible at  
the moment. Once someone has defined cookies in sufficient detail we can  
revisit this.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Thursday, 12 June 2008 12:05:18 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:25 GMT