Bil Corry wrote on 12/2/2008 12:48 PM:
> On Tue, 2 Dec 2008, Ian Hickson wrote:
>> On Tue, 2 Dec 2008, Anne van Kesteren wrote:
>>> http://www.whatwg.org/specs/web-apps/current-work/multipage/dom.html#dom-document-cookie
>>> currently does not take HTTPOnly into account. There should at
>>> least be a note there that the user agent may not always reveal all
>>> cookies the Cookie header contains. Likewise, HTTPOnly cookies are
>>> not be overwritten by script.
>> Done. Let me know if there's a reference I can use...
>
> Currently, there isn't a reference for HTTPOnly. There's a small group of us
> working on creating one, but we're still hammering out the scope:
>
> http://groups.google.com/group/ietf-httponly-wg
>
> Once we have a draft put together, I'll pass it along. And of course, if
> anyone here is interested in joining the discussion on HTTPOnly, we're open
> to more input.
Just an update, we have a draft of the HTTPOnly scope now available to review:
http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw
If you have an active interest in participating, our list is here:
http://groups.google.com/group/ietf-httponly-wg
- Bil
