[owasp-intrinsic-security] HTTPOnly cookie flag

Jim Manico jim.manico at aspectsecurity.com
Mon Nov 10 13:56:09 EST 2008


Fantastic - I'm stoked to see movement in this direction. 

http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-03.txt
does not mention HttpOnly at all - perhaps that would be a great place
to start in your conversations with Y.

As a side note, one thing I see the FireFox team doing to offer complete
HttpOnly support is to prevent XHR access both to set-cookie and
set-cookie2. Seems like FireFox is about to be the first browser out the
gate to truly offer complete HttpOnly support.

- Jim

-----Original Message-----
From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Bil Corry
Sent: Monday, November 03, 2008 5:32 PM
To: owasp-intrinsic-security at lists.owasp.org
Subject: Re: [owasp-intrinsic-security] HTTPOnly cookie flag

Jim Manico wrote on 11/2/2008 7:48 PM: 
> I've also sent messages to the Opera Team, they have not responded in
> kind nor have they given me access to their bug tracking system.

FWIW, I sent an email to Anne van Kesteren this morning to ask if she
knows Opera's plans for HTTPOnly.  I haven't gotten a reply yet, if/when
I do I'll post it here.  I did find this while doing a search; turns out
Yngve Pettersen of Opera has been working on revising the RFC for
cookies to fix cookie leaking issues with domains like "city.state.us":

	
http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-03.txt
	http://www.ietf.org/proceedings/07jul/slides/httpbis-1.pdf

I'm thinking he's probably the one to ask about HTTPOnly; I just fired
off an email to him too.  And it makes me wonder if we should be working
with IETF to get HTTPOnly added to the RFC?


- Bil

_______________________________________________
owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security


More information about the owasp-intrinsic-security mailing list