Hi Rob, It seems like a useful extension. I would just name the additional CookieSetting property "accessRestricted" instead of "httpOnly" to make it more generic. We'll document that this property maps to the "httpOnly" parameter in the Javadocs. Please, feel free to submit a RFE and patch.
Best regards, Jerome > -----Message d'origine----- > De : Rob Heittman [mailto:[EMAIL PROTECTED] > Envoyé : dimanche 16 septembre 2007 22:43 > À : discuss > Objet : HttpOnly support in CookieSetting? > > > The "HttpOnly" property is an extended cookie property > originally introduced in Internet Explorer 6: > > http://msdn2.microsoft.com/en-us/library/ms533046.aspx > > Its function is to reduce the risk of browser ID disclosure > with cross site scripting (XSS). When the property is set, > the browser blocks Javascript access to the cookie via > document.cookies. Some implementations also take this as a > hint to obscure the cookie data in storage for extra protection. > > Support for this has been added to Firefox as of 2.0.0.5: > https://bugzilla.mozilla.org/show_bug.cgi?id=178993 > > And apparently also Opera 9.5 Alpha: > http://snapshot.opera.com/windows/w950a1.html > > Although this is not part of any official RFC as far as I > know, and I generally am no fan of putting in proprietary > things, this property offers a VERY valuable security blanket > for developers using cookies to store client side state. I > think Restlet ought to add support for this feature to CookieSetting. > > But, I thought that I'd give the opportunity for people to > throw rotten tomatoes at the idea before I submit an RFE and patch. > > - Rob
