[owasp-intrinsic-security] HTTPOnly cookie flag

Bil Corry bil at corry.biz
Wed Nov 12 17:17:50 EST 2008


Jim Manico wrote on 11/12/2008 3:44 PM: 
> I'm in!

Yngve pointed me to these resources:

	The IETF Process: an Informal Guide
	http://www.ietf.org/IESG/content/procdocs.html

	Guidelines to Authors of Internet-Drafts
	http://www.ietf.org/ietf/1id-guidelines.html

And he also mentioned using XMLmind to write the draft.  I tracked these resources down for that:

	Writing Internet Drafts and RFCs Using XML
	http://cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-1/101_writing-rfcs.html

	XMLmind XML Editor
	http://www.xmlmind.com/xmleditor/


I'll have to take some time to dig through all of that.  I haven't looked at the XMLmind XML Editor, but I'm far more attracted to using it than manually creating the draft by hand.


> I say - let's cover ALL use cases of HTTPOnly - including header
> filters. There needs to be at least one RFC in the world that discusses
> this topic completely and securely. Almost every other reference to
> HTTPOnly is either incomplete or wrong. Let's get the right in a
> complete way. :)

That sounds good to me.  I've created a list over at Google Groups, let's take the discussion over there:

	http://groups.google.com/group/ietf-httponly-wg


- Bil



More information about the owasp-intrinsic-security mailing list