Jonas Sicking wrote on 12/16/2008 4:32 PM:
> Bil Corry wrote:
>> There's a group of us working on creating a spec for HTTPOnly
>> cookies. We have a draft of the HTTPOnly scope available to review:
>>
>> http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw
>>
>> If you have an active interest in participating, our list is here:
>>
>> http://groups.google.com/group/ietf-httponly-wg
>
> My first reaction to all this is: Can you really create a useful spec
> for HTTPOnly cookies without first creating a spec for cookies? I.e. as
> far as I know there is no useable spec out there for how to parse
> HTTPOnly cookies at all, so it'd seem hard to detect what a HTTPOnly
> cookie is.
That's what Dan Winship said (more or less):
http://lists.w3.org/Archives/Public/ietf-http-wg/2008OctDec/0235.html
I do agree that cookies could use a massive overhaul, taking the original
Netscape cookie spec, RFCs 2109, 2964, and 2965, along with Yngve Pettersen's
2965 replacement draft and merge them all together with the real-world
implementations (HTTPOnly, etc) and from that, create one spec to rule them all.
But as I replied to Stefanos; Mozilla, WebKit and Microsoft have all recently
updated their HTTPOnly features -- we want to piggyback on that momentum to get
HTTPOnly implemented in a standard way without having to wait another year or
two for a comprehensive cookie overhaul.
> That said, having a spec for cookies as well as HTTPOnly cookies would
> be great. However I think that you should try to as soon as possible
> bring the work to any of the existing organizations, such as IETF or
> WHATWG.
I'll be doing this in January, thanks.
- Bil
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
