- From: poot <cvsmail@w3.org>
- Date: Tue, 2 Dec 2008 19:06:32 +0900 (JST)
- To: public-html-diffs@w3.org
Mention HTTP-only cookies. (credit: ak) (whatwg r2517) On getting, if the document is not associated with a browsing context then the user agent must raise an INVALID_STATE_ERR exception. Otherwise, if the sandboxed origin browsing context flag is set on the browsing context of the document, the user agent must raise a SECURITY_ERR exception. Otherwise, if the document's address does not use a server-based naming authority, it must return the empty string. Otherwise, it must return the same string as the value of the Cookie HTTP header it would include if fetching the resource indicated by the document's address over HTTP, as per RFC 2109 section 4.3.4 or later specifications, excluding HTTP-only cookies. [RFC2109] [RFC2965] http://people.w3.org/mike/diffs/html5/spec/Overview.1.1688.html#sandboxCookies lastModified http://people.w3.org/mike/diffs/html5/spec/Overview.1.1688.html#dom-document-lastmodified http://people.w3.org/mike/diffs/html5/spec/Overview.diff.html http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.1687&r2=1.1688&f=h http://html5.org/tools/web-apps-tracker?from=2516&to=2517 =================================================================== RCS file: /sources/public/html5/spec/Overview.html,v retrieving revision 1.1687 retrieving revision 1.1688 diff -u -d -r1.1687 -r1.1688 --- Overview.html 2 Dec 2008 07:07:09 -0000 1.1687 +++ Overview.html 2 Dec 2008 10:03:51 -0000 1.1688 @@ -4818,7 +4818,7 @@ authority, it must return the empty string. Otherwise, it must return the same string as the value of the <code title="">Cookie</code> HTTP header it would include if <a href=#fetch title=fetch>fetching</a> the resource indicated by <a href=#the-document-s-address>the document's address</a> over HTTP, as per RFC 2109 section 4.3.4 - or later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the document is not associated with a + or later specifications, excluding HTTP-only cookies. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p>On setting, if the document is not associated with a <a href=#browsing-context>browsing context</a> then the user agent must raise an <code><a href=#invalid_state_err>INVALID_STATE_ERR</a></code> exception. Otherwise, if the <a href=#sandboxed-origin-browsing-context-flag>sandboxed origin browsing context flag</a> is set on the @@ -4830,7 +4830,12 @@ <a href=#fetch>fetch</a> <a href=#the-document-s-address>the document's address</a> over HTTP, and had received a response with a <code>Set-Cookie</code> header whose value was the specified value, as per RFC 2109 sections 4.3.1, - 4.3.2, and 4.3.3 or later specifications. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible + 4.3.2, and 4.3.3 or later specifications, but without overwriting + the values of HTTP-only cookies. <a href=#references>[RFC2109]</a> <a href=#references>[RFC2965]</a><p class=note>This specification does not define what makes an + HTTP-only cookie, and at the time of publication the editor is not + aware of any reference for HTTP-only cookies. They are a feature + supported by some Web browsers wherein an "<code title="">httponly</code>" parameter added to the cookie string + causes the cookie to be hidden from script.<p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible across frames, the path restrictions on cookies are only a tool to help manage which cookies are sent to which parts of the site, and are not in any way a security feature.</p><hr><p>The <dfn id=dom-document-lastmodified title=dom-document-lastModified><code>lastModified</code></dfn>
Received on Tuesday, 2 December 2008 10:10:01 UTC