- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 10 Dec 2008 14:36:27 +0100
- To: "Jonas Sicking" <jonas@sicking.cc>, "Web Applications Working Group WG" <public-webapps@w3.org>
On Mon, 20 Oct 2008 17:04:24 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > In bug 380418 [1] we have decided to completely block access to the > Set-Cookie header through XHR. This seems like the safest way to prevent > httpOnly cookies from leaking in to javascript. > > In addition it seems good to block access to the raw network protocol > used for security and can contain user credentials. > > There is a risk that this will break sites since we are blocking things > that used to work. However the number of legitimate uses seems pretty > small (I can't think of any) and the win is high (blocking httpOnly > cookies reliably as well as possible future cookie expansions) > > The way the blocking works is that the getResponseHeader and > getAllResponseHeaders functions behave as if Set-Cookie and Set-Cookie2 > was not sent by the server. > > / Jonas > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=380418 This is the exact same approach Opera has been following for a while. I have made this a requirement in the XMLHttpRequest specifications (the draft versions, of course). -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 10 December 2008 13:37:15 UTC