- From: Bil Corry <bil@corry.biz>
- Date: Fri, 12 Dec 2008 11:15:52 -0600
- To: Web Applications Working Group WG <public-webapps@w3.org>
Anne van Kesteren wrote on 12/10/2008 7:36 AM: > > On Mon, 20 Oct 2008 17:04:24 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> In bug 380418 [1] we have decided to completely block access to the >> Set-Cookie header through XHR. This seems like the safest way to >> prevent httpOnly cookies from leaking in to javascript. >> >> In addition it seems good to block access to the raw network protocol >> used for security and can contain user credentials. >> >> There is a risk that this will break sites since we are blocking >> things that used to work. However the number of legitimate uses seems >> pretty small (I can't think of any) and the win is high (blocking >> httpOnly cookies reliably as well as possible future cookie expansions) >> >> The way the blocking works is that the getResponseHeader and >> getAllResponseHeaders functions behave as if Set-Cookie and >> Set-Cookie2 was not sent by the server. >> >> / Jonas >> >> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=380418 > > This is the exact same approach Opera has been following for a while. I > have made this a requirement in the XMLHttpRequest specifications (the > draft versions, of course). There's a group of us working on a HTTPOnly spec, and we have a draft of the HTTPOnly scope available to review: http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw If you have an active interest in participating, our list is here: http://groups.google.com/group/ietf-httponly-wg - Bil
Received on Friday, 12 December 2008 17:16:42 UTC