W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [XHR] blocking httpOnly cookies

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Dec 2008 14:36:27 +0100
To: "Jonas Sicking" <jonas@sicking.cc>, "Web Applications Working Group WG" <public-webapps@w3.org>
Message-ID: <op.ulx721w564w2qv@annevk-t60.oslo.opera.com>

On Mon, 20 Oct 2008 17:04:24 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> In bug 380418 [1] we have decided to completely block access to the  
> Set-Cookie header through XHR. This seems like the safest way to prevent  
> httpOnly cookies from leaking in to javascript.
> In addition it seems good to block access to the raw network protocol  
> used for security and can contain user credentials.
> There is a risk that this will break sites since we are blocking things  
> that used to work. However the number of legitimate uses seems pretty  
> small (I can't think of any) and the win is high (blocking httpOnly  
> cookies reliably as well as possible future cookie expansions)
> The way the blocking works is that the getResponseHeader and  
> getAllResponseHeaders functions behave as if Set-Cookie and Set-Cookie2  
> was not sent by the server.
> / Jonas
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=380418

This is the exact same approach Opera has been following for a while. I  
have made this a requirement in the XMLHttpRequest specifications (the  
draft versions, of course).

Anne van Kesteren
Received on Wednesday, 10 December 2008 13:37:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:13 UTC