The "HttpOnly" property is an extended cookie property originally introduced in Internet Explorer 6:
http://msdn2.microsoft.com/en-us/library/ms533046.aspx Its function is to reduce the risk of browser ID disclosure with cross site scripting (XSS). When the property is set, the browser blocks Javascript access to the cookie via document.cookies. Some implementations also take this as a hint to obscure the cookie data in storage for extra protection. Support for this has been added to Firefox as of 2.0.0.5: https://bugzilla.mozilla.org/show_bug.cgi?id=178993 And apparently also Opera 9.5 Alpha: http://snapshot.opera.com/windows/w950a1.html Although this is not part of any official RFC as far as I know, and I generally am no fan of putting in proprietary things, this property offers a VERY valuable security blanket for developers using cookies to store client side state. I think Restlet ought to add support for this feature to CookieSetting. But, I thought that I'd give the opportunity for people to throw rotten tomatoes at the idea before I submit an RFE and patch. - Rob
