W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [XHR] blocking httpOnly cookies

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Dec 2008 14:36:27 +0100
To: "Jonas Sicking" <jonas@sicking.cc>, "Web Applications Working Group WG" <public-webapps@w3.org>
Message-ID: <op.ulx721w564w2qv@annevk-t60.oslo.opera.com>

On Mon, 20 Oct 2008 17:04:24 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> In bug 380418 [1] we have decided to completely block access to the  
> Set-Cookie header through XHR. This seems like the safest way to prevent  
> httpOnly cookies from leaking in to javascript.
>
> In addition it seems good to block access to the raw network protocol  
> used for security and can contain user credentials.
>
> There is a risk that this will break sites since we are blocking things  
> that used to work. However the number of legitimate uses seems pretty  
> small (I can't think of any) and the win is high (blocking httpOnly  
> cookies reliably as well as possible future cookie expansions)
>
> The way the blocking works is that the getResponseHeader and  
> getAllResponseHeaders functions behave as if Set-Cookie and Set-Cookie2  
> was not sent by the server.
>
> / Jonas
>
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=380418

This is the exact same approach Opera has been following for a while. I  
have made this a requirement in the XMLHttpRequest specifications (the  
draft versions, of course).


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 10 December 2008 13:37:15 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT