[owasp-intrinsic-security] HTTPOnly cookie flag

Jim Manico jim.manico at aspectsecurity.com
Sun Nov 2 20:48:43 EST 2008

> Another topic, pushing browser vendors to support HTTPOnly for read,
write, and XHR:

I'm on it.

FireFox 3.1 is most likely going to be the first out of the gate with
complete support:


Safari has not even supported the most basic HTTPOnly features, lame:


I've sent messages to the IE Security team (they are on it for IE 8) -
they currently provide basic HTTPOnly support.

I've also sent messages to the Opera Team, they have not responded in
kind nor have they given me access to their bug tracking system. Lame.

I've supplied a patch to Apache Tomcat to include server-side support
(going live next release)

I've even had several conversations with W3C folks on this topic - but
they specs are horrible and confusing when it comes to this topic -
especially over XHR.

Any help on this HTTPOnly crusade is well appreciated.

- Jim

-----Original Message-----
From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Bil Corry
Sent: Thursday, October 30, 2008 11:42 AM
To: owasp-intrinsic-security at lists.owasp.org
Subject: [owasp-intrinsic-security] HTTPOnly cookie flag

Another topic, pushing browser vendors to support HTTPOnly for read,
write, and XHR:


- Bil

owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org

More information about the owasp-intrinsic-security mailing list