W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest

From: Jim Manico <jim@manico.net>
Date: Thu, 11 Dec 2008 23:46:04 -0500
Message-ID: <4941EC8C.8080303@manico.net>
To: Anne van Kesteren <annevk@opera.com>
CC: eric bing <eric.bing@oracle.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, public-webapps@w3.org
|Anne,

After reading section 4 of http://dev.w3.org/2006/webapi/XMLHttpRequest/ 
which states,  "excluding headers that case-insensitively match 
Set-Cookie or Set-Cookie2" I feel closure over this issue.

Thank you so much for entertaining this conversation!

Vive HTTPOnly (and the w3c!)

- Jim
|*||*
> Anne,
>
> Thanks for your response and thought over this matter.
>
> Perhaps we could make a compromise and change:
>
> "Apart from requirements affecting security made throughout this 
> specification implementations */may/, at their discretion*, not expose 
> certain headers, such as headers containing HttpOnly cookies."
>
> to
>
> "Apart from requirements affecting security made throughout this 
> specification implementations /*should */not expose certain headers, 
> such as headers containing HttpOnly cookies."
>
> Since implementors of XHR need to address this issue to truly honor 
> the security benefits of HTTPOnly, I would really like to see this in 
> the current XHR spec.
>
> Thanks for entertaining this conversation,
> Jim Manico
> Aspect Security
>> On Mon, 07 Jul 2008 23:24:03 +0200, eric bing <eric.bing@oracle.com> 
>> wrote:
>>> Thanks Bjoern for laying out the reasoning here.  I'm going to make one
>>> more tilt at the windmill...
>>>
>>> What I'm hearing from you and Anne is that you don't disagree with the
>>> basic principle that XHR should not be able to be able to access
>>> HttpOnly cookies.  But rather that this spec is not the correct 
>>> place to
>>> address this issue - because (I hope I'm restating these correctly)
>>> 1) It belongs in the (sadly non-existent) spec of cookies
>>> 2) It should be obvious to implementers
>>> 3) We can't list out all security implications - for various reasons
>>> we'll miss some and weaken all security
>>>
>>> I have to respectfully disagree with 2 - this was fixed for plain
>>> javascript access to cookies, but the XHR portions were left out in in
>>> IE6 and Firefox 2.  For background on the Firefox fix - check out
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=380418
>>
>> It seems that the solution to this specific issue is in fact 
>> completely oblivious to httponly. That is, Cookie and Cookie2 can no 
>> longer be set as request headers and Set-Cookie and Set-Cookie2 
>> cannot be read as response headers. I'm therefore planning on 
>> removing the httponly cookie note as it is no longer necessary.
>>
>>
>
Received on Friday, 12 December 2008 04:46:52 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT