[Webappsec] HTTP only support in XMLHTTPRequest
eric.bing at oracle.com
Wed May 7 20:39:28 EDT 2008
Sounds good. And I agree with the Conjecture as well. Before diving
too deep into gathering signatures do you want to ping the working group
on this to find out if there are objections? I'm happy to do this if
you want. It would be good to know about specific issues.
And I'm working this on the Oracle side as well.
Senior Director, Application Security
/The statements and opinions expressed here are my own and do not
necessarily represent those of Oracle Corporation./
Jim Manico wrote:
> Conjecture: Restricting XMLHTTPRequest from reading HttpOnly cookies
> is not going to stop w 2.x innovation* in any way.*
> I propose that we set up a petition over this issue (I'll lead the
> charge in getting this set up) and submit the results to the w3c over
> this specific issue.
> Cool, Arian?
> - Jim
>> This is nice, but as you said, if we don't involve the W3C this will
>> assuredly slide down that slippery slope of open access. Our
>> community hasn't done an effective job with this so far (IMHO).
>> I believe the social-networking software community folks want
>> XMLHTTPRequest to have access to anything they want it to,
>> *especially* including values they deem as useful (personalization
>> and tracking cookies).
>> Having OWASP support this would make sense, and add
>> weight. Several user-agent implementation projects follow
>> OWASP today....
>> Also, so would having "Oracle" encouraging this.
>> I don't think most of us as individuals will have much say or
>> sway, especially if there starts to be conflicting interests
>> with the functions of XMLHTTPRequest going forward
>> (and I think there will be).
> Jim Manico, Senior Application Security Engineer
> jim.manico at aspectsecurity.com | jim at manico.net
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
> Aspect Security^(TM)
> Securing your applications at the source
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Webappsec