W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2009

[whatwg] HttpOnly cookies reference

From: Den.Molib <den.molib@gmail.com>
Date: Wed, 04 Mar 2009 18:51:44 +0100
Message-ID: <49AEBFB0.2040309@gmail.com>
Section 3.2.3 says:
> This specification does not define what makes an HTTP-only cookie, and
> at the time of publication the editor is not aware of any reference
> for HTTP-only cookies. They are a feature supported by some Web
> browsers wherein an "|httponly|" parameter added to the cookie string
> causes the cookie to be hidden from script.
It is my understanding that Http-only cookies were first defined by
Michael Howard on his blog entry titled 'Some Bad News and Some Good
News' (October 21, 2002).

That content is currently hosted at:
http://msdn.microsoft.com/en-us/library/ms972826.aspx (scroll to the
section 'The Good News: Mitigating Cross-Site Scripting Issues')
Microsoft urls are not too stable. It can also be reached from
(an old url, being used on
or from the Wayback machine
Received on Wednesday, 4 March 2009 09:51:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:47 UTC