W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2009

[whatwg] HttpOnly cookies reference

From: Den.Molib <den.molib@gmail.com>
Date: Wed, 04 Mar 2009 18:51:44 +0100
Message-ID: <49AEBFB0.2040309@gmail.com>
Section 3.2.3 says:
> This specification does not define what makes an HTTP-only cookie, and
> at the time of publication the editor is not aware of any reference
> for HTTP-only cookies. They are a feature supported by some Web
> browsers wherein an "|httponly|" parameter added to the cookie string
> causes the cookie to be hidden from script.
It is my understanding that Http-only cookies were first defined by
Michael Howard on his blog entry titled 'Some Bad News and Some Good
News' (October 21, 2002).

That content is currently hosted at:
http://msdn.microsoft.com/en-us/library/ms972826.aspx (scroll to the
section 'The Good News: Mitigating Cross-Site Scripting Issues')
Microsoft urls are not too stable. It can also be reached from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure10102002.asp?frame=true
(an old url, being used on
http://www.microsoft.com/presspass/features/2002/oct02/10-23xss-ie.mspx)
or from the Wayback machine
http://web.archive.org/web/20061007124347/http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp
Received on Wednesday, 4 March 2009 09:51:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:47:49 GMT