Stefanos Harhalakis wrote on 12/12/2008 1:49 PM:
> My personal opinion is that any IETF related conversation regarding this
> issue
> should happen at ietf-http-wg list (unless a new WG is created).
As you point out, I did post to ietf-http-wg and the feedback I received was
that someone should document cookies-as-they-exist first, then spec HTTPOnly.
Maybe that is the ideal way to handle it, but my primary concern is protecting
users via HTTPOnly. Mozilla, WebKit and Microsoft have all recently updated
their HTTPOnly features:
https://bugzilla.mozilla.org/show_bug.cgi?id=380418
https://bugs.webkit.org/show_bug.cgi?id=10957
http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
I haven't had a chance to test them yet against our draft, but vendors are
implementing HTTPOnly without the benefit of a well thought-out spec. For
example, Microsoft missed Cookie2 for HTTPOnly cookies:
http://ha.ckers.org/blog/20081111/httponly-fix-in-msxml/#comment-88826
That's the mess my group is tackling.
- Bil
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
