Den 08-09-2014 kl. 18:58 skrev Martin Thomson:
On 07/09/14 07:09, Jesper Kristensen wrote:
Cookies are segregated by http vs https, right?
No, unfortunately they are not. Numerous attempts at fixing it has been
rejected by browser vendors. For example
http://tools.ietf.org/html/draft-abarth-cake-01
They are, somewhat.
All cookies are available to an https origin, but some are restricted so
that http origins can't see them.
https://tools.ietf.org/html/rfc6265#section-5.4
* If the cookie's secure-only-flag is true, then the request-
uri's scheme must denote a "secure" protocol (as defined by
the user agent).
Yes, the abstract in the linked spec draft clearly states this: You can
establish cookie confidentiality using the Secure flag, but it is not
possible today to establish cookie integrity.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
