W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [XHR] blocking httpOnly cookies

From: Bil Corry <bil@corry.biz>
Date: Fri, 12 Dec 2008 11:15:52 -0600
Message-ID: <49429C48.9000403@corry.biz>
To: Web Applications Working Group WG <public-webapps@w3.org>

Anne van Kesteren wrote on 12/10/2008 7:36 AM: 
> 
> On Mon, 20 Oct 2008 17:04:24 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
>> In bug 380418 [1] we have decided to completely block access to the
>> Set-Cookie header through XHR. This seems like the safest way to
>> prevent httpOnly cookies from leaking in to javascript.
>>
>> In addition it seems good to block access to the raw network protocol
>> used for security and can contain user credentials.
>>
>> There is a risk that this will break sites since we are blocking
>> things that used to work. However the number of legitimate uses seems
>> pretty small (I can't think of any) and the win is high (blocking
>> httpOnly cookies reliably as well as possible future cookie expansions)
>>
>> The way the blocking works is that the getResponseHeader and
>> getAllResponseHeaders functions behave as if Set-Cookie and
>> Set-Cookie2 was not sent by the server.
>>
>> / Jonas
>>
>> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=380418
> 
> This is the exact same approach Opera has been following for a while. I
> have made this a requirement in the XMLHttpRequest specifications (the
> draft versions, of course).

There's a group of us working on a HTTPOnly spec, and we have a draft of the HTTPOnly scope available to review:

	http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw

If you have an active interest in participating, our list is here:

	http://groups.google.com/group/ietf-httponly-wg

- Bil
Received on Friday, 12 December 2008 17:16:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT