[owasp-intrinsic-security] HTTPOnly cookie flag

Giorgio Maone giorgio.maone at gmail.com
Mon Nov 3 17:50:53 EST 2008


> FWIW, I sent an email to Anne van Kesteren this morning to ask if she
knows Opera's plans for HTTPOnly.

FWIW, Anne is a young male :)

On Mon, Nov 3, 2008 at 11:32 PM, Bil Corry <bil at corry.biz> wrote:

> Jim Manico wrote on 11/2/2008 7:48 PM:
> > I've also sent messages to the Opera Team, they have not responded in
> > kind nor have they given me access to their bug tracking system.
>
> FWIW, I sent an email to Anne van Kesteren this morning to ask if she knows
> Opera's plans for HTTPOnly.  I haven't gotten a reply yet, if/when I do I'll
> post it here.  I did find this while doing a search; turns out Yngve
> Pettersen of Opera has been working on revising the RFC for cookies to fix
> cookie leaking issues with domains like "city.state.us":
>
>
> http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-03.txt
>        http://www.ietf.org/proceedings/07jul/slides/httpbis-1.pdf
>
> I'm thinking he's probably the one to ask about HTTPOnly; I just fired off
> an email to him too.  And it makes me wonder if we should be working with
> IETF to get HTTPOnly added to the RFC?
>
>
> - Bil
>
> _______________________________________________
> owasp-intrinsic-security mailing list
> owasp-intrinsic-security at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-intrinsic-security/attachments/20081103/06fe8cf9/attachment.html 


More information about the owasp-intrinsic-security mailing list