W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: [XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 12 Jun 2008 14:04:36 +0200
To: "eric bing" <eric.bing@oracle.com>, public-webapps@w3.org
Cc: "Jim Manico" <jim@manico.net>
Message-ID: <op.ucmw5y1m64w2qv@annevk-t60.oslo.opera.com>

Note: due to the wonders of W3C process we now have a new mailing list,  
public-webapps. I cc'ed it on this e-mail.

On Sat, 07 Jun 2008 00:18:32 +0200, eric bing <eric.bing@oracle.com> wrote:
> Apologies for the late comments - I belatedly realized the close of
> comments on this was June 3.

That's ok. Technical comments are _always_ welcome. (Though they may not  
always impact the transition to CR or some other level, of course.)

> I've been discussing some of this internally within Oracle USA and
> within the OWASP mail lists, and would like to make a suggestion.
> We're very happy with the mention in the April 15th spec:
> /Apart from requirements affecting security made throughout this
> specification implementations /may/, at their discretion, not expose
> certain headers, such as HttpOnly cookies.//
> /http://dev.w3.org/2006/webapi/XMLHttpRequest/#security
> However, we'd like to see even stronger language here.  We think it
> should be *recommended *or even better yet *required *that
> XMLHttpRequest not see these headers of HttpOnly cookies.   The fact
> that XMLHTTPRequest can currently see these cookies greatly undermines
> the security value of this flag.

I very much agree, but given that nobody has defined cookies yet in  
sufficient detail making this a hard requirement is not really feasible at  
the moment. Once someone has defined cookies in sufficient detail we can  
revisit this.

Anne van Kesteren
Received on Thursday, 12 June 2008 12:05:18 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 14:36:28 UTC