- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 6 Dec 2009 08:38:05 -0800
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
On Sun, Dec 6, 2009 at 8:19 AM, sird@rckc.at <sird@rckc.at> wrote: > 3.- Do you really want to return to the user ALL http headers with > getAllResponseHeaders? think on Set-Cookie + httpOnly I believe most (all?) implementations block returning Set-Cookie headers with HttpOnly cookies. If the spec doesn't say this, it's out of step with common practice. Adam
Received on Sunday, 6 December 2009 16:39:05 UTC