HttpOnly from Jim Manico on 2008-03-18 (ietf-http-wg@w3.org from January to March 2008)

From: Jim Manico <jim@manico.net>
Date: Tue, 18 Mar 2008 07:20:31 +0000
To: ietf-http-wg@w3.org
Message-ID: <47DF6D04.2060001@manico.net>

Are there any efforts underway to support the HttpOnly cookie directive 
within any version of the HTTP Protocol?

The HttpOnly cookie flag, now supported or soon to be supported by all 
major browser vendors, is a significant security enhancement for web 
centric computing. The HttpOnly flag simply prevents JavaScript from 
reading the details of a cookie. In particular, adding this flag to the 
HTTP spec as an /optional/ cookie directive will go a long way in 
assisting in the mitigation of Cross Site Scripting (XSS) and other 
session hijacking attack vectors.

With respect + Best Regards,
Jim Manico
jim.manico@aspectsecurity.com
Application Security Engineer + Web Application Architect

Received on Tuesday, 18 March 2008 09:27:07 UTC