Apologies for the late comments - I belatedly realized the close of
comments on this was June 3.
I've been discussing some of this internally within Oracle USA and
within the OWASP mail lists, and would like to make a suggestion.
We're very happy with the mention in the April 15th spec:
Apart from requirements affecting security made throughout this
specification implementations may, at their
discretion, not expose certain headers, such as HttpOnly cookies.
http://dev.w3.org/2006/webapi/XMLHttpRequest/#security
However, we'd like to see even stronger language here. We think it
should be
recommended or even better yet
required that
XMLHttpRequest
not see these headers of HttpOnly cookies. The fact that
XMLHTTPRequest
can currently see these cookies greatly undermines the security value
of this flag.
Thanks,
Eric Bing,
Senior Director, Application Product Security
Oracle USA
