[XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[XMLHttpRequest]HttpOnly cookies visibility in XMLHttpRequest

eric bing

Apologies for the late comments - I belatedly realized the close of comments on this was June 3.

I've been discussing some of this internally within Oracle USA and within the OWASP mail lists, and would like to make a suggestion.

We're very happy with the mention in the April 15th spec:
Apart from requirements affecting security made throughout this specification implementations may, at their discretion, not expose certain headers, such as HttpOnly cookies.

However, we'd like to see even stronger language here.  We think it should be recommended or even better yet required that XMLHttpRequest not see these headers of HttpOnly cookies.   The fact that XMLHTTPRequest can currently see these cookies greatly undermines the security value of this flag. 

Eric Bing,
Senior Director, Application Product Security
Oracle USA