[owasp-intrinsic-security] HTTPOnly cookie flag
jim.manico at aspectsecurity.com
Mon Nov 10 13:56:09 EST 2008
Fantastic - I'm stoked to see movement in this direction.
does not mention HttpOnly at all - perhaps that would be a great place
to start in your conversations with Y.
As a side note, one thing I see the FireFox team doing to offer complete
HttpOnly support is to prevent XHR access both to set-cookie and
set-cookie2. Seems like FireFox is about to be the first browser out the
gate to truly offer complete HttpOnly support.
From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Sent: Monday, November 03, 2008 5:32 PM
To: owasp-intrinsic-security at lists.owasp.org
Subject: Re: [owasp-intrinsic-security] HTTPOnly cookie flag
Jim Manico wrote on 11/2/2008 7:48 PM:
> I've also sent messages to the Opera Team, they have not responded in
> kind nor have they given me access to their bug tracking system.
FWIW, I sent an email to Anne van Kesteren this morning to ask if she
knows Opera's plans for HTTPOnly. I haven't gotten a reply yet, if/when
I do I'll post it here. I did find this while doing a search; turns out
Yngve Pettersen of Opera has been working on revising the RFC for
cookies to fix cookie leaking issues with domains like "city.state.us":
I'm thinking he's probably the one to ask about HTTPOnly; I just fired
off an email to him too. And it makes me wonder if we should be working
with IETF to get HTTPOnly added to the RFC?
owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org
More information about the owasp-intrinsic-security