Re: HTTPOnly Cookies Specification

On Fri, 21 Nov 2008 14:04:58 +0100, Dan Winship <>  

> Bil Corry wrote:
>> Over on OWASP's Intrinsic Security list, I brought up that HTTPOnly  
>> cookies should be better implemented across the major browsers.  Jim  
>> Manico replied that he's been actively trying to get the browsers to  
>> implement (or better implement) HTTPOnly cookies and it became clear in  
>> talking with Yngve Pettersen that the lack of a specification for  
>> HTTPOnly was hindering browser vendors.
>> Out of that, we started a group to discuss and create the HTTPOnly  
>> cookie specification.  If you're interested in participating, you can  
>> join here:
> It seems a little odd to write a specification for the HttpOnly cookie
> parameter when there isn't a spec for
> cookies-as-they-exist-in-the-real-world in general.
> What would really be useful would be for someone to pull an HTML5 on
> cookies, documenting how they are actually parsed (ie, not like the
> Netscape spec or either RFC says), how the path and domain parameters
> are actually used (ie, not like the Netscape spec or either RFC says),  
> etc.

The Netscape spec and the RFCs (2109, 2965, 2964) specify how cookies are  
parsed (syntactically), how their arguments are to be interpreted, and how  
the cookies are to be picked when sending.

For the most part there is AFAIK no major, and very few minor differences  
between the browsers in the processing and picking part.

The parsing/interpretation differences that I am aware of between browsers  
at this time concern mainly what names are permitted (some clients allow  
cookie names with "$" and space, which is not permitted by any of the  
specifications, others doesn't), and in the policies for how they prevent  
malicious sites from setting cookies for domains like (those are  
discussed in three of the drafts I have published). None of these will  
really affect normal and carefully implemented sites.

Where there are some major differences, is in the policies for processing  
third party cookies, which are not a topic in Netscape's spec, and the  
RFCs specification is not really widely used. But that would in any case  
be a separate specification.

Given that the differences are minor in the area a specification would  
cover, I do not think it is really necessary with a "real world spec".

However, that does not mean that I think the Netscape spec shouldn't be  
republished as an historical RFC, it just does not have to include too  
much information about implementation differences.

In fact, I think having an historical RFC describing the Netscape spec  
cookies would be a good thing now that AOL/Netscape have taken that  
specification offline. But a potential problem with publishing such an RFC  
is the question who have the rights (copyright) to that specification.

In any case, I think an RFC version of that document would require  
substantial reworking compared to the original before it can be published.

Yngve N. Pettersen
Senior Developer		     Email:
Opera Software ASA         
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01

Received on Sunday, 23 November 2008 15:06:46 UTC