[owasp-intrinsic-security] HTTPOnly cookie flag

Tue Nov 11 17:52:28 EST 2008

> The issue is there isn't a published spec on HTTPOnly (at least none
that I can find). 

Agreed. I back the industry mentality of: "The HttpOnly attribute for
cookies is not part of RFC 2965 but is widely used because it provides a
extra level of security... For now, at least. (per
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6692802)

> Maybe Microsoft has one, 

The closest is http://msdn.microsoft.com/en-us/library/ms533046.aspx
which is weak at best - it does not include XHR exposure protection.

> but otherwise, I'm assuming each browser vendor has been winging it.
So first step would be to create a spec for HTTPOnly and either work
with Yngve to roll it into his existing draft, or create a separate
draft just for HTTPOnly.

Ideally, I think we want a separate HttpOnly RFC - since so many others
specs may need to address it. Can we just start it, or do we need
Microsoft to take charge here? (ech)

http://www.w3.org/TR/XMLHttpRequest is woefully addressing HTTPOnly
incorrectly. Anne and I went one round on this topic, and I lost. In
particular, section 3's "Security Considerations" seems almost tragic
(*at their discretion* did not seem strong enough to me) see:
http://www.w3.org/TR/XMLHttpRequest/#security 

	3. Security Considerations

	Apart from requirements affecting security made throughout this
specification implementations may, at their 	discretion, not expose
certain headers, such as HttpOnly cookies.

> But I think it should just outright prevent reading any cookie header
for any cookie that is HTTPOnly

I agree with you 100%. There is never a reason for JavaScript to ever
have access to HTTPOnly cookies in any way. They will still be sent on
outnound request per the HTTP standard, but HTTPOnly is a clear missive
that I feel we should implement in a very strong manner.

Great Job, Bill. Thanks for your efforts on this front.

- Jim