[owasp-intrinsic-security] HTTPOnly cookie flag

Bil Corry bil at corry.biz
Mon Nov 3 17:32:22 EST 2008


Jim Manico wrote on 11/2/2008 7:48 PM: 
> I've also sent messages to the Opera Team, they have not responded in
> kind nor have they given me access to their bug tracking system.

FWIW, I sent an email to Anne van Kesteren this morning to ask if she knows Opera's plans for HTTPOnly.  I haven't gotten a reply yet, if/when I do I'll post it here.  I did find this while doing a search; turns out Yngve Pettersen of Opera has been working on revising the RFC for cookies to fix cookie leaking issues with domains like "city.state.us":

	http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-03.txt
	http://www.ietf.org/proceedings/07jul/slides/httpbis-1.pdf

I'm thinking he's probably the one to ask about HTTPOnly; I just fired off an email to him too.  And it makes me wonder if we should be working with IETF to get HTTPOnly added to the RFC?


- Bil



More information about the owasp-intrinsic-security mailing list