[Webappsec] HTTP only support in XMLHTTPRequest

eric bing eric.bing at oracle.com
Wed May 7 20:39:28 EDT 2008


Sounds good.  And I agree with the Conjecture as well.  Before diving 
too deep into gathering signatures do you want to ping the working group 
on this to find out if there are objections?  I'm happy to do this if 
you want.  It would be good to know about specific issues. 

And I'm working this on the Oracle side as well.

Eric Bing
Senior Director, Application Security
Oracle Corporation

/The statements and opinions expressed here are my own and do not 
necessarily represent those of Oracle Corporation./


Jim Manico wrote:
> Conjecture: Restricting  XMLHTTPRequest from reading HttpOnly cookies 
> is not going to stop w 2.x innovation* in any way.*
>
> I propose that we set up a petition over this issue (I'll lead the 
> charge in getting this set up) and submit the results to the w3c over 
> this specific issue.
>
> Cool, Arian?
> - Jim
>> This is nice, but as you said, if we don't involve the W3C this will
>> assuredly slide down that slippery slope of open access. Our
>> community hasn't done an effective job with this so far (IMHO).
>>
>> I believe the social-networking software community folks want
>> XMLHTTPRequest to have access to anything they want it to,
>> *especially* including values they deem as useful (personalization
>> and tracking cookies).
>>
>> Having OWASP support this would make sense, and add
>> weight. Several user-agent implementation projects follow
>> OWASP today....
>>
>> Also, so would having "Oracle" encouraging this.
>>
>> I don't think most of us as individuals will have much say or
>> sway, especially if there starts to be conflicting interests
>> with the functions of XMLHTTPRequest going forward
>> (and I think there will be).
>>
>>
>>   
>
>
> -- 
> Jim Manico, Senior Application Security Engineer
> jim.manico at aspectsecurity.com | jim at manico.net
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security^(TM)
> Securing your applications at the source
> http://www.aspectsecurity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/webappsec/attachments/20080507/c39046d0/attachment.html 


More information about the Webappsec mailing list