[Webappsec] HTTP only support in XMLHTTPRequest
jim at manico.net
Tue May 6 20:34:11 EDT 2008
Conjecture: Restricting XMLHTTPRequest from reading HttpOnly cookies is
not going to stop w 2.x innovation* in any way.*
I propose that we set up a petition over this issue (I'll lead the
charge in getting this set up) and submit the results to the w3c over
this specific issue.
> This is nice, but as you said, if we don't involve the W3C this will
> assuredly slide down that slippery slope of open access. Our
> community hasn't done an effective job with this so far (IMHO).
> I believe the social-networking software community folks want
> XMLHTTPRequest to have access to anything they want it to,
> *especially* including values they deem as useful (personalization
> and tracking cookies).
> Having OWASP support this would make sense, and add
> weight. Several user-agent implementation projects follow
> OWASP today....
> Also, so would having "Oracle" encouraging this.
> I don't think most of us as individuals will have much say or
> sway, especially if there starts to be conflicting interests
> with the functions of XMLHTTPRequest going forward
> (and I think there will be).
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)
Securing your applications at the source
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Webappsec