- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 10 Dec 2008 14:41:47 +0100
- To: "eric bing" <eric.bing@oracle.com>, "Bjoern Hoehrmann" <derhoermi@gmx.net>
- Cc: public-webapps@w3.org, "Jim Manico" <jim@manico.net>
On Mon, 07 Jul 2008 23:24:03 +0200, eric bing <eric.bing@oracle.com> wrote: > Thanks Bjoern for laying out the reasoning here. I'm going to make one > more tilt at the windmill... > > What I'm hearing from you and Anne is that you don't disagree with the > basic principle that XHR should not be able to be able to access > HttpOnly cookies. But rather that this spec is not the correct place to > address this issue - because (I hope I'm restating these correctly) > 1) It belongs in the (sadly non-existent) spec of cookies > 2) It should be obvious to implementers > 3) We can't list out all security implications - for various reasons > we'll miss some and weaken all security > > I have to respectfully disagree with 2 - this was fixed for plain > javascript access to cookies, but the XHR portions were left out in in > IE6 and Firefox 2. For background on the Firefox fix - check out > https://bugzilla.mozilla.org/show_bug.cgi?id=380418 It seems that the solution to this specific issue is in fact completely oblivious to httponly. That is, Cookie and Cookie2 can no longer be set as request headers and Set-Cookie and Set-Cookie2 cannot be read as response headers. I'm therefore planning on removing the httponly cookie note as it is no longer necessary. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 10 December 2008 13:42:47 UTC