[owasp-intrinsic-security] HTTPOnly cookie flag

Jim Manico jim.manico at aspectsecurity.com
Wed Nov 12 16:44:33 EST 2008


> Then let's start it.  

I'm in!

> Here's what I see: HTTPOnly technically describes how JavaScript can
interact with a cookie.  With XHR, JavaScript is actually interacting
with the *headers* that set/advertise the cookie, not the cookie itself
(weak distinction).  So we can either have the RFC cover just the
cookie, and work with Anne to cover filtering the headers, or we can
have the RFC cover both the cookie and filtering the headers.

All browser implementations continue to get this wrong - even though we
should see complete support in FF and IE soon. 

I say - let's cover ALL use cases of HTTPOnly - including header
filters. There needs to be at least one RFC in the world that discusses
this topic completely and securely. Almost every other reference to
HTTPOnly is either incomplete or wrong. Let's get the right in a
complete way. :)

- Jim

-----Original Message-----
From: owasp-intrinsic-security-bounces at lists.owasp.org
[mailto:owasp-intrinsic-security-bounces at lists.owasp.org] On Behalf Of
Bil Corry
Sent: Wednesday, November 12, 2008 2:05 AM
To: owasp-intrinsic-security at lists.owasp.org
Subject: Re: [owasp-intrinsic-security] HTTPOnly cookie flag

Jim Manico wrote on 11/11/2008 4:52 PM: 
> Ideally, I think we want a separate HttpOnly RFC - since so many
others
> specs may need to address it. Can we just start it, or do we need
> Microsoft to take charge here?

Then let's start it.  It's been so many years that if Microsoft was
interested in creating a RFC for HTTPOnly, they would have done it by
now.


> http://www.w3.org/TR/XMLHttpRequest is woefully addressing HTTPOnly
> incorrectly. Anne and I went one round on this topic, and I lost. In
> particular, section 3's "Security Considerations" seems almost tragic
> (*at their discretion* did not seem strong enough to me) see:
> http://www.w3.org/TR/XMLHttpRequest/#security 

Here's what I see: HTTPOnly technically describes how JavaScript can
interact with a cookie.  With XHR, JavaScript is actually interacting
with the *headers* that set/advertise the cookie, not the cookie itself
(weak distinction).  So we can either have the RFC cover just the
cookie, and work with Anne to cover filtering the headers, or we can
have the RFC cover both the cookie and filtering the headers.

I can ask Yngve what the process is for creating a draft RFC and proceed
from there.  For anyone interested in helping write the draft, let me
know off-list and I'll coordinate our efforts.


- Bil

_______________________________________________
owasp-intrinsic-security mailing list
owasp-intrinsic-security at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-intrinsic-security


More information about the owasp-intrinsic-security mailing list