html5/spec Overview.html,1.1687,1.1688 from Ian Hickson via cvs-syncmail on 2008-12-02 (public-html-commits@w3.org from December 2008)

From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
Date: Tue, 02 Dec 2008 10:03:54 +0000
To: public-html-commits@w3.org
Message-Id: <E1L7S6k-0004fZ-N7@lionel-hutz.w3.org>

Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv17933

Modified Files:
	Overview.html 
Log Message:
Mention HTTP-only cookies. (credit: ak) (whatwg r2517)

Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.1687
retrieving revision 1.1688
diff -u -d -r1.1687 -r1.1688
--- Overview.html	2 Dec 2008 07:07:09 -0000	1.1687
+++ Overview.html	2 Dec 2008 10:03:51 -0000	1.1688
@@ -4818,7 +4818,7 @@
   authority, it must return the empty string. Otherwise, it must
   return the same string as the value of the <code title="">Cookie</code> HTTP header it would include if <a href=#fetch title=fetch>fetching</a> the resource indicated by <a href=#the-document-s-address>the
   document's address</a> over HTTP, as per RFC 2109 section 4.3.4
-  or later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the document is not associated with a
+  or later specifications, excluding HTTP-only cookies. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the document is not associated with a
   <a href=#browsing-context>browsing context</a> then the user agent must raise an
   <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the
   <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> is set on the
@@ -4830,7 +4830,12 @@
   <a href=#fetch>fetch</a> <a href=#the-document-s-address>the document's address</a> over HTTP,
   and had received a response with a <code>Set-Cookie</code> header
   whose value was the specified value, as per RFC 2109 sections 4.3.1,
-  4.3.2, and 4.3.3 or later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible
+  4.3.2, and 4.3.3 or later specifications, but without overwriting
+  the values of HTTP-only cookies. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p class=note>This specification does not define what makes an
+  HTTP-only cookie, and at the time of publication the editor is not
+  aware of any reference for HTTP-only cookies. They are a feature
+  supported by some Web browsers wherein an "<code title="">httponly</code>" parameter added to the cookie string
+  causes the cookie to be hidden from script.<p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible
   across frames, the path restrictions on cookies are only a tool to
   help manage which cookies are sent to which parts of the site, and
   are not in any way a security feature.</p><hr><p>The <dfn id=dom-document-lastmodified title=dom-document-lastModified><code>lastModified</code></dfn>

Received on Tuesday, 2 December 2008 10:04:03 UTC