[owasp-intrinsic-security] HTTPOnly cookie flag
bil at corry.biz
Wed Nov 12 02:04:38 EST 2008
Jim Manico wrote on 11/11/2008 4:52 PM:
> Ideally, I think we want a separate HttpOnly RFC - since so many others
> specs may need to address it. Can we just start it, or do we need
> Microsoft to take charge here?
Then let's start it. It's been so many years that if Microsoft was interested in creating a RFC for HTTPOnly, they would have done it by now.
> http://www.w3.org/TR/XMLHttpRequest is woefully addressing HTTPOnly
> incorrectly. Anne and I went one round on this topic, and I lost. In
> particular, section 3's "Security Considerations" seems almost tragic
> (*at their discretion* did not seem strong enough to me) see:
I can ask Yngve what the process is for creating a draft RFC and proceed from there. For anyone interested in helping write the draft, let me know off-list and I'll coordinate our efforts.
More information about the owasp-intrinsic-security