- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sun, 22 Jun 2008 01:16:52 +0200
- To: eric bing <eric.bing@oracle.com>
- Cc: public-webapps@w3.org
* eric bing wrote: >I understand the issues around the lack of a cookie definition, and we >suspected that this was the reason this hadn't been addressed more >forcefully. I was the one who proposed the addition of the section along with the note about HttpOnly, and my proposal did not address this more force- fully for two reasons. The less important reason is that the interface is used in enviroments where considerations for web browsers do not apply (for example, in server-side applications and shell-scripts). More importantly, it would seem to me that HttpOnly cookies would be defined along the lines of saying that scripts running in web browsers should not be given access to them. Therefore a requirement to the same effect in the XHR specification would not only be redundant and mis- placed, it would also suggest implementing HttpOnly cookies but making the cookies available to scripts running in web browsers would somehow be valid. >In my mind, you've already started down the slippery slope by mentioning >HTTPOnly cookies at all (not that I think that's a bad thing). If we >use the language that Jim mentions below (/recommend/) we can avoid >making this a hard requirement but give real guidance to folks >implementing the spec. Someone struggeling with the question whether HttpOnly cookies should be made available to script code that doesn't have access to the cookie property of the document object should not be allowed anywhere near web browser code. The draft mentions HttpOnly cookies because an informed reader of the specification would realize upon mentioning them that im- plementers not only may, but have to make security decisions beyond the ones detailed in the specification. Without an example like it readers might dismiss the note as boilerplate prose. The specification obviously cannot detail all the security decsions an implementer has to make, consider for example how it would look like if HttpOnly cookies had been introduced prior to the XMLHttpRequest object, along with how well most specifications are maintained and updated. All in all, I am afraid following your suggestion might make matters worse security-wise. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Saturday, 21 June 2008 23:17:30 UTC