Jonas Sicking wrote on 12/16/2008 4:32 PM: > Bil Corry wrote: >> There's a group of us working on creating a spec for HTTPOnly >> cookies. We have a draft of the HTTPOnly scope available to review: >> >> http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw >> >> If you have an active interest in participating, our list is here: >> >> http://groups.google.com/group/ietf-httponly-wg > > My first reaction to all this is: Can you really create a useful spec > for HTTPOnly cookies without first creating a spec for cookies? I.e. as > far as I know there is no useable spec out there for how to parse > HTTPOnly cookies at all, so it'd seem hard to detect what a HTTPOnly > cookie is.
That's what Dan Winship said (more or less): http://lists.w3.org/Archives/Public/ietf-http-wg/2008OctDec/0235.html I do agree that cookies could use a massive overhaul, taking the original Netscape cookie spec, RFCs 2109, 2964, and 2965, along with Yngve Pettersen's 2965 replacement draft and merge them all together with the real-world implementations (HTTPOnly, etc) and from that, create one spec to rule them all. But as I replied to Stefanos; Mozilla, WebKit and Microsoft have all recently updated their HTTPOnly features -- we want to piggyback on that momentum to get HTTPOnly implemented in a standard way without having to wait another year or two for a comprehensive cookie overhaul. > That said, having a spec for cookies as well as HTTPOnly cookies would > be great. However I think that you should try to as soon as possible > bring the work to any of the existing organizations, such as IETF or > WHATWG. I'll be doing this in January, thanks. - Bil _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security