Bil Corry wrote:
> Jonas Sicking wrote on 12/16/2008 4:32 PM:
>> Bil Corry wrote:
>>> There's a group of us working on creating a spec for HTTPOnly
>>> cookies.  We have a draft of the HTTPOnly scope available to review:

>>>     http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw

>>> If you have an active interest in participating, our list is here:

>>>     http://groups.google.com/group/ietf-httponly-wg
>> My first reaction to all this is: Can you really create a useful spec
>> for HTTPOnly cookies without first creating a spec for cookies? I.e. as
>> far as I know there is no useable spec out there for how to parse
>> HTTPOnly cookies at all, so it'd seem hard to detect what a HTTPOnly
>> cookie is.

> That's what Dan Winship said (more or less):

>    http://lists.w3.org/Archives/Public/ietf-http-wg/2008OctDec/0235.html

> I do agree that cookies could use a massive overhaul, taking the original Netscape cookie spec, RFCs 2109, 2964, and 2965, along with Yngve Pettersen's 2965 replacement draft and merge them all together with the real-world implementations (HTTPOnly, etc) and from that, create one spec to rule them all.

> But as I replied to Stefanos; Mozilla, WebKit and Microsoft have all recently updated their HTTPOnly features -- we want to piggyback on that momentum to get HTTPOnly implemented in a standard way without having to wait another year or two for a comprehensive cookie overhaul.