- From: Den.Molib <den.molib@gmail.com>
- Date: Wed, 04 Mar 2009 18:51:44 +0100
Section 3.2.3 says: > This specification does not define what makes an HTTP-only cookie, and > at the time of publication the editor is not aware of any reference > for HTTP-only cookies. They are a feature supported by some Web > browsers wherein an "|httponly|" parameter added to the cookie string > causes the cookie to be hidden from script. It is my understanding that Http-only cookies were first defined by Michael Howard on his blog entry titled 'Some Bad News and Some Good News' (October 21, 2002). That content is currently hosted at: http://msdn.microsoft.com/en-us/library/ms972826.aspx (scroll to the section 'The Good News: Mitigating Cross-Site Scripting Issues') Microsoft urls are not too stable. It can also be reached from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure10102002.asp?frame=true (an old url, being used on http://www.microsoft.com/presspass/features/2002/oct02/10-23xss-ie.mspx) or from the Wayback machine http://web.archive.org/web/20061007124347/http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp
Received on Wednesday, 4 March 2009 09:51:44 UTC