Re: HTTPOnly Cookies Specification

The flaw in this proposal is the assumption that web application builders
will be satisfied with the restrictions imposed by this flag and hence use
it.

I suspect that with the ever increasing level of highly interactive
content achieved with JavaScript, that this flag will be ignored and hence
valueless as a general solution.

More appropriate would be to spend the effort designing a solid security
model which allows JavaScript (and other active content) access to
cookies, but only within the appropriate security rules.

Dave Morris

Received on Sunday, 23 November 2008 03:50:06 UTC