W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: [XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sun, 22 Jun 2008 01:16:52 +0200
To: eric bing <eric.bing@oracle.com>
Cc: public-webapps@w3.org
Message-ID: <v10r541lus23vglikq4cue2iaspahmsf1n@hive.bjoern.hoehrmann.de>

* eric bing wrote:
>I understand the issues around the lack of a cookie definition, and we 
>suspected that this was the reason this hadn't been addressed more 
>forcefully.

I was the one who proposed the addition of the section along with the
note about HttpOnly, and my proposal did not address this more force-
fully for two reasons. The less important reason is that the interface
is used in enviroments where considerations for web browsers do not
apply (for example, in server-side applications and shell-scripts).

More importantly, it would seem to me that HttpOnly cookies would be
defined along the lines of saying that scripts running in web browsers
should not be given access to them. Therefore a requirement to the same
effect in the XHR specification would not only be redundant and mis-
placed, it would also suggest implementing HttpOnly cookies but making
the cookies available to scripts running in web browsers would somehow
be valid.

>In my mind, you've already started down the slippery slope by mentioning 
>HTTPOnly cookies at all (not that I think that's a bad thing).  If we 
>use the language that Jim mentions below (/recommend/) we can avoid 
>making this a hard requirement but give real guidance to folks 
>implementing the spec.

Someone struggeling with the question whether HttpOnly cookies should
be made available to script code that doesn't have access to the cookie
property of the document object should not be allowed anywhere near web
browser code. The draft mentions HttpOnly cookies because an informed
reader of the specification would realize upon mentioning them that im-
plementers not only may, but have to make security decisions beyond the
ones detailed in the specification. Without an example like it readers
might dismiss the note as boilerplate prose.

The specification obviously cannot detail all the security decsions an
implementer has to make, consider for example how it would look like if
HttpOnly cookies had been introduced prior to the XMLHttpRequest object,
along with how well most specifications are maintained and updated. All
in all, I am afraid following your suggestion might make matters worse
security-wise.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 21 June 2008 23:17:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:26 GMT