The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 |
Newsgroups: mozilla.dev.security
From: Bil Corry <b...@corry.biz>
Date: Fri, 12 Dec 2008 14:42:57 -0600
Local: Fri, Dec 12 2008 3:42 pm
Subject: Re: HTTPOnly cookies specification
Stefanos Harhalakis wrote on 12/12/2008 1:49 PM:
> My personal opinion is that any IETF related conversation regarding this issue As you point out, I did post to ietf-http-wg and the feedback I received was that someone should document cookies-as-they-exist first, then spec HTTPOnly. Maybe that is the ideal way to handle it, but my primary concern is protecting users via HTTPOnly. Mozilla, WebKit and Microsoft have all recently updated their HTTPOnly features: > should happen at ietf-http-wg list (unless a new WG is created). https://bugzilla.mozilla.org/show_bug.cgi?id=380418 I haven't had a chance to test them yet against our draft, but vendors are implementing HTTPOnly without the benefit of a well thought-out spec. For example, Microsoft missed Cookie2 for HTTPOnly cookies: http://ha.ckers.org/blog/20081111/httponly-fix-in-msxml/#comment-88826 That's the mess my group is tackling. - Bil You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
| |||||||||||||