- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 12 Jun 2008 14:04:36 +0200
- To: "eric bing" <eric.bing@oracle.com>, public-webapps@w3.org
- Cc: "Jim Manico" <jim@manico.net>
Note: due to the wonders of W3C process we now have a new mailing list, public-webapps. I cc'ed it on this e-mail. On Sat, 07 Jun 2008 00:18:32 +0200, eric bing <eric.bing@oracle.com> wrote: > Apologies for the late comments - I belatedly realized the close of > comments on this was June 3. That's ok. Technical comments are _always_ welcome. (Though they may not always impact the transition to CR or some other level, of course.) > I've been discussing some of this internally within Oracle USA and > within the OWASP mail lists, and would like to make a suggestion. > > We're very happy with the mention in the April 15th spec: > /Apart from requirements affecting security made throughout this > specification implementations /may/, at their discretion, not expose > certain headers, such as HttpOnly cookies.// > /http://dev.w3.org/2006/webapi/XMLHttpRequest/#security > > However, we'd like to see even stronger language here. We think it > should be *recommended *or even better yet *required *that > XMLHttpRequest not see these headers of HttpOnly cookies. The fact > that XMLHTTPRequest can currently see these cookies greatly undermines > the security value of this flag. I very much agree, but given that nobody has defined cookies yet in sufficient detail making this a hard requirement is not really feasible at the moment. Once someone has defined cookies in sufficient detail we can revisit this. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 12 June 2008 12:05:18 UTC