Note: due to the wonders of W3C process we now have a new mailing list, public-webapps. I cc'ed it on this e-mail.
On Sat, 07 Jun 2008 00:18:32 +0200, eric bing <[EMAIL PROTECTED]> wrote:
Apologies for the late comments - I belatedly realized the close of comments on this was June 3.
That's ok. Technical comments are _always_ welcome. (Though they may not always impact the transition to CR or some other level, of course.)
I've been discussing some of this internally within Oracle USA and within the OWASP mail lists, and would like to make a suggestion. We're very happy with the mention in the April 15th spec: /Apart from requirements affecting security made throughout this specification implementations /may/, at their discretion, not expose certain headers, such as HttpOnly cookies.// /http://dev.w3.org/2006/webapi/XMLHttpRequest/#security However, we'd like to see even stronger language here. We think it should be *recommended *or even better yet *required *that XMLHttpRequest not see these headers of HttpOnly cookies. The fact that XMLHTTPRequest can currently see these cookies greatly undermines the security value of this flag.
I very much agree, but given that nobody has defined cookies yet in sufficient detail making this a hard requirement is not really feasible at the moment. Once someone has defined cookies in sufficient detail we can revisit this.
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
