W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Dec 2008 14:41:47 +0100
To: "eric bing" <eric.bing@oracle.com>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
Cc: public-webapps@w3.org, "Jim Manico" <jim@manico.net>
Message-ID: <op.ulx8bxyu64w2qv@annevk-t60.oslo.opera.com>

On Mon, 07 Jul 2008 23:24:03 +0200, eric bing <eric.bing@oracle.com> wrote:
> Thanks Bjoern for laying out the reasoning here.  I'm going to make one
> more tilt at the windmill...
> What I'm hearing from you and Anne is that you don't disagree with the
> basic principle that XHR should not be able to be able to access
> HttpOnly cookies.  But rather that this spec is not the correct place to
> address this issue - because (I hope I'm restating these correctly)
> 1) It belongs in the (sadly non-existent) spec of cookies
> 2) It should be obvious to implementers
> 3) We can't list out all security implications - for various reasons
> we'll miss some and weaken all security
> I have to respectfully disagree with 2 - this was fixed for plain
> javascript access to cookies, but the XHR portions were left out in in
> IE6 and Firefox 2.  For background on the Firefox fix - check out
> https://bugzilla.mozilla.org/show_bug.cgi?id=380418

It seems that the solution to this specific issue is in fact completely  
oblivious to httponly. That is, Cookie and Cookie2 can no longer be set as  
request headers and Set-Cookie and Set-Cookie2 cannot be read as response  
headers. I'm therefore planning on removing the httponly cookie note as it  
is no longer necessary.

Anne van Kesteren
Received on Wednesday, 10 December 2008 13:42:47 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:13 UTC