On Wed, 10 Dec 2008 15:05:09 +0100, Jim Manico <[EMAIL PROTECTED]> wrote:
Thanks for your response and thought over this matter.
Perhaps we could make a compromise and change:
"Apart from requirements affecting security made throughout this
specification implementations */may/, at their discretion*, not expose
certain headers, such as headers containing HttpOnly cookies."
to
"Apart from requirements affecting security made throughout this
specification implementations /*should */not expose certain headers,
such as headers containing HttpOnly cookies."
Since implementors of XHR need to address this issue to truly honor the
security benefits of HTTPOnly, I would really like to see this in the
current XHR spec.
Well, per the current specification implementations "MUST NOT" (it's
phrased differently) expose Set-Cookie and Set-Cookie2 and "MUST NOT"
allow authors to set Cookie and Cookie2. So an httponly requirement
becomes sort of irrelevant as it is a subset of those requirements.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
