- From: Jim Manico <jim@manico.net>
- Date: Thu, 11 Dec 2008 23:46:04 -0500
- To: Anne van Kesteren <annevk@opera.com>
- CC: eric bing <eric.bing@oracle.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, public-webapps@w3.org
- Message-ID: <4941EC8C.8080303@manico.net>
|Anne, After reading section 4 of http://dev.w3.org/2006/webapi/XMLHttpRequest/ which states, "excluding headers that case-insensitively match Set-Cookie or Set-Cookie2" I feel closure over this issue. Thank you so much for entertaining this conversation! Vive HTTPOnly (and the w3c!) - Jim |*||* > Anne, > > Thanks for your response and thought over this matter. > > Perhaps we could make a compromise and change: > > "Apart from requirements affecting security made throughout this > specification implementations */may/, at their discretion*, not expose > certain headers, such as headers containing HttpOnly cookies." > > to > > "Apart from requirements affecting security made throughout this > specification implementations /*should */not expose certain headers, > such as headers containing HttpOnly cookies." > > Since implementors of XHR need to address this issue to truly honor > the security benefits of HTTPOnly, I would really like to see this in > the current XHR spec. > > Thanks for entertaining this conversation, > Jim Manico > Aspect Security >> On Mon, 07 Jul 2008 23:24:03 +0200, eric bing <eric.bing@oracle.com> >> wrote: >>> Thanks Bjoern for laying out the reasoning here. I'm going to make one >>> more tilt at the windmill... >>> >>> What I'm hearing from you and Anne is that you don't disagree with the >>> basic principle that XHR should not be able to be able to access >>> HttpOnly cookies. But rather that this spec is not the correct >>> place to >>> address this issue - because (I hope I'm restating these correctly) >>> 1) It belongs in the (sadly non-existent) spec of cookies >>> 2) It should be obvious to implementers >>> 3) We can't list out all security implications - for various reasons >>> we'll miss some and weaken all security >>> >>> I have to respectfully disagree with 2 - this was fixed for plain >>> javascript access to cookies, but the XHR portions were left out in in >>> IE6 and Firefox 2. For background on the Firefox fix - check out >>> https://bugzilla.mozilla.org/show_bug.cgi?id=380418 >> >> It seems that the solution to this specific issue is in fact >> completely oblivious to httponly. That is, Cookie and Cookie2 can no >> longer be set as request headers and Set-Cookie and Set-Cookie2 >> cannot be read as response headers. I'm therefore planning on >> removing the httponly cookie note as it is no longer necessary. >> >> >
Received on Friday, 12 December 2008 04:46:52 UTC