Re: HTTPOnly Cookies Specification

Bil Corry wrote:
> Over on OWASP's Intrinsic Security list, I brought up that HTTPOnly cookies should be better implemented across the major browsers.  Jim Manico replied that he's been actively trying to get the browsers to implement (or better implement) HTTPOnly cookies and it became clear in talking with Yngve Pettersen that the lack of a specification for HTTPOnly was hindering browser vendors.
> 
> Out of that, we started a group to discuss and create the HTTPOnly cookie specification.  If you're interested in participating, you can join here:
> 
>  http://groups.google.com/group/ietf-httponly-wg

It seems a little odd to write a specification for the HttpOnly cookie
parameter when there isn't a spec for
cookies-as-they-exist-in-the-real-world in general.

What would really be useful would be for someone to pull an HTML5 on
cookies, documenting how they are actually parsed (ie, not like the
Netscape spec or either RFC says), how the path and domain parameters
are actually used (ie, not like the Netscape spec or either RFC says), etc.

-- Dan

Received on Friday, 21 November 2008 13:05:38 UTC