[owasp-intrinsic-security] HTTPOnly cookie flag

Jim Manico jim.manico at aspectsecurity.com
Mon Nov 10 13:56:09 EST 2008

Fantastic - I'm stoked to see movement in this direction. 

does not mention HttpOnly at all - perhaps that would be a great place
to start in your conversations with Y.

As a side note, one thing I see the FireFox team doing to offer complete
HttpOnly support is to prevent XHR access both to set-cookie and
set-cookie2. Seems like FireFox is about to be the first browser out the
gate to truly offer complete HttpOnly support.

- Jim

-----Original Message-----
From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Bil Corry
Sent: Monday, November 03, 2008 5:32 PM
To: owasp-intrinsic-security at lists.owasp.org
Subject: Re: [owasp-intrinsic-security] HTTPOnly cookie flag

Jim Manico wrote on 11/2/2008 7:48 PM: 
> I've also sent messages to the Opera Team, they have not responded in
> kind nor have they given me access to their bug tracking system.

FWIW, I sent an email to Anne van Kesteren this morning to ask if she
knows Opera's plans for HTTPOnly.  I haven't gotten a reply yet, if/when
I do I'll post it here.  I did find this while doing a search; turns out
Yngve Pettersen of Opera has been working on revising the RFC for
cookies to fix cookie leaking issues with domains like "city.state.us":


I'm thinking he's probably the one to ask about HTTPOnly; I just fired
off an email to him too.  And it makes me wonder if we should be working
with IETF to get HTTPOnly added to the RFC?

- Bil

owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org

More information about the owasp-intrinsic-security mailing list