Hi, It seems the current draft does not discuss HttpOnly cookies and other headers that implementations may not want to expose. Can we have a Se- curity Considerations section that clarifies that implementations may, at their discretion, not expose certain headers, perhaps giving Http- Only cookies as an example where that may be desired? I would expect any future HttpOnly cookie specification to discuss its relationship with XmlHTTPRequest in more detail, so I don't think we should include more of it than citing it as example.
regards, -- Björn Höhrmann · mailto:[EMAIL PROTECTED] · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
