[owasp-intrinsic-security] HTTPOnly cookie flag
bil at corry.biz
Mon Nov 3 17:32:22 EST 2008
Jim Manico wrote on 11/2/2008 7:48 PM:
> I've also sent messages to the Opera Team, they have not responded in
> kind nor have they given me access to their bug tracking system.
FWIW, I sent an email to Anne van Kesteren this morning to ask if she knows Opera's plans for HTTPOnly. I haven't gotten a reply yet, if/when I do I'll post it here. I did find this while doing a search; turns out Yngve Pettersen of Opera has been working on revising the RFC for cookies to fix cookie leaking issues with domains like "city.state.us":
I'm thinking he's probably the one to ask about HTTPOnly; I just fired off an email to him too. And it makes me wonder if we should be working with IETF to get HTTPOnly added to the RFC?
More information about the owasp-intrinsic-security