[owasp-intrinsic-security] HTTPOnly cookie flag

Bil Corry bil at corry.biz
Wed Nov 12 02:04:38 EST 2008

Jim Manico wrote on 11/11/2008 4:52 PM: 
> Ideally, I think we want a separate HttpOnly RFC - since so many others
> specs may need to address it. Can we just start it, or do we need
> Microsoft to take charge here?

Then let's start it.  It's been so many years that if Microsoft was interested in creating a RFC for HTTPOnly, they would have done it by now.

> http://www.w3.org/TR/XMLHttpRequest is woefully addressing HTTPOnly
> incorrectly. Anne and I went one round on this topic, and I lost. In
> particular, section 3's "Security Considerations" seems almost tragic
> (*at their discretion* did not seem strong enough to me) see:
> http://www.w3.org/TR/XMLHttpRequest/#security 

Here's what I see: HTTPOnly technically describes how JavaScript can interact with a cookie.  With XHR, JavaScript is actually interacting with the *headers* that set/advertise the cookie, not the cookie itself (weak distinction).  So we can either have the RFC cover just the cookie, and work with Anne to cover filtering the headers, or we can have the RFC cover both the cookie and filtering the headers.

I can ask Yngve what the process is for creating a draft RFC and proceed from there.  For anyone interested in helping write the draft, let me know off-list and I'll coordinate our efforts.

- Bil

More information about the owasp-intrinsic-security mailing list