Re: [XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest from Anne van Kesteren on 2008-12-10 (public-webapps@w3.org from October to December 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 10 Dec 2008 15:10:33 +0100
To: "Jim Manico" <jim@manico.net>
Cc: "eric bing" <eric.bing@oracle.com>, "Bjoern Hoehrmann" <derhoermi@gmx.net>, public-webapps@w3.org
Message-ID: <op.ulx9nvaf64w2qv@annevk-t60.oslo.opera.com>

On Wed, 10 Dec 2008 15:05:09 +0100, Jim Manico <jim@manico.net> wrote:
> Thanks for your response and thought over this matter.
>
> Perhaps we could make a compromise and change:
>
> "Apart from requirements affecting security made throughout this  
> specification implementations */may/, at their discretion*, not expose  
> certain headers, such as headers containing HttpOnly cookies."
>
> to
>
> "Apart from requirements affecting security made throughout this  
> specification implementations /*should */not expose certain headers,  
> such as headers containing HttpOnly cookies."
>
> Since implementors of XHR need to address this issue to truly honor the  
> security benefits of HTTPOnly, I would really like to see this in the  
> current XHR spec.

Well, per the current specification implementations "MUST NOT" (it's  
phrased differently) expose Set-Cookie and Set-Cookie2 and "MUST NOT"  
allow authors to set Cookie and Cookie2. So an httponly requirement  
becomes sort of irrelevant as it is a subset of those requirements.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Wednesday, 10 December 2008 14:11:27 UTC