W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

[XHR] blocking httpOnly cookies

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 20 Oct 2008 17:04:24 +0200
Message-ID: <48FC9DF8.8050703@sicking.cc>
To: Web Applications Working Group WG <public-webapps@w3.org>

In bug 380418 [1] we have decided to completely block access to the 
Set-Cookie header through XHR. This seems like the safest way to prevent 
httpOnly cookies from leaking in to javascript.

In addition it seems good to block access to the raw network protocol 
used for security and can contain user credentials.

There is a risk that this will break sites since we are blocking things 
that used to work. However the number of legitimate uses seems pretty 
small (I can't think of any) and the win is high (blocking httpOnly 
cookies reliably as well as possible future cookie expansions)

The way the blocking works is that the getResponseHeader and 
getAllResponseHeaders functions behave as if Set-Cookie and Set-Cookie2 
was not sent by the server.

/ Jonas

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=380418
Received on Monday, 20 October 2008 15:06:17 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:12 UTC