Bil Corry wrote:
Jonas Sicking wrote on 12/16/2008 4:32 PM:
Bil Corry wrote:
There's a group of us working on creating a spec for HTTPOnly
cookies. We have a draft of the HTTPOnly scope available to review:
http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw
If you have an active interest in participating, our list is here:
http://groups.google.com/group/ietf-httponly-wg
My first reaction to all this is: Can you really create a useful spec
for HTTPOnly cookies without first creating a spec for cookies? I.e. as
far as I know there is no useable spec out there for how to parse
HTTPOnly cookies at all, so it'd seem hard to detect what a HTTPOnly
cookie is.
That's what Dan Winship said (more or less):
http://lists.w3.org/Archives/Public/ietf-http-wg/2008OctDec/0235.html
I do agree that cookies could use a massive overhaul, taking the original
Netscape cookie spec, RFCs 2109, 2964, and 2965, along with Yngve Pettersen's
2965 replacement draft and merge them all together with the real-world
implementations (HTTPOnly, etc) and from that, create one spec to rule them all.
But as I replied to Stefanos; Mozilla, WebKit and Microsoft have all recently
updated their HTTPOnly features -- we want to piggyback on that momentum to get
HTTPOnly implemented in a standard way without having to wait another year or
two for a comprehensive cookie overhaul.
Out of curiosity, what do you want to specify beyond what XMLHttpRequest
and HTML5 specifies?
/ Jonas
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
