Re: [XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest from Jim Manico on 2008-12-10 (public-webapps@w3.org from October to December 2008)

From: Jim Manico <jim@manico.net>
Date: Wed, 10 Dec 2008 09:05:09 -0500
To: Anne van Kesteren <annevk@opera.com>
CC: eric bing <eric.bing@oracle.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, public-webapps@w3.org
Message-ID: <493FCC95.4020305@manico.net>

Anne,

Thanks for your response and thought over this matter.

Perhaps we could make a compromise and change:

"Apart from requirements affecting security made throughout this 
specification implementations */may/, at their discretion*, not expose 
certain headers, such as headers containing HttpOnly cookies."

to

"Apart from requirements affecting security made throughout this 
specification implementations /*should */not expose certain headers, 
such as headers containing HttpOnly cookies."

Since implementors of XHR need to address this issue to truly honor the 
security benefits of HTTPOnly, I would really like to see this in the 
current XHR spec.

Thanks for entertaining this conversation,
Jim Manico
Aspect Security
> On Mon, 07 Jul 2008 23:24:03 +0200, eric bing <eric.bing@oracle.com> 
> wrote:
>> Thanks Bjoern for laying out the reasoning here.  I'm going to make one
>> more tilt at the windmill...
>>
>> What I'm hearing from you and Anne is that you don't disagree with the
>> basic principle that XHR should not be able to be able to access
>> HttpOnly cookies.  But rather that this spec is not the correct place to
>> address this issue - because (I hope I'm restating these correctly)
>> 1) It belongs in the (sadly non-existent) spec of cookies
>> 2) It should be obvious to implementers
>> 3) We can't list out all security implications - for various reasons
>> we'll miss some and weaken all security
>>
>> I have to respectfully disagree with 2 - this was fixed for plain
>> javascript access to cookies, but the XHR portions were left out in in
>> IE6 and Firefox 2.  For background on the Firefox fix - check out
>> https://bugzilla.mozilla.org/show_bug.cgi?id=380418
>
> It seems that the solution to this specific issue is in fact 
> completely oblivious to httponly. That is, Cookie and Cookie2 can no 
> longer be set as request headers and Set-Cookie and Set-Cookie2 cannot 
> be read as response headers. I'm therefore planning on removing the 
> httponly cookie note as it is no longer necessary.
>
>

Received on Wednesday, 10 December 2008 14:05:59 UTC