IETF Logo Mail Archive

Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?

Ian Hickson <ian@hixie.ch> Fri, 29 January 2010 00:04 UTC

Return-Path: <ian@hixie.ch>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B240A3A6867 for <hybi@core3.amsl.com>; Thu, 28 Jan 2010 16:04:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ro6KFj-dYpd6 for <hybi@core3.amsl.com>; Thu, 28 Jan 2010 16:04:04 -0800 (PST)
Received: from looneymail-a1.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id D87B53A6830 for <hybi@ietf.org>; Thu, 28 Jan 2010 16:04:04 -0800 (PST)
Received: from ps20323.dreamhostps.com (ps20323.dreamhost.com [69.163.222.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by looneymail-a1.g.dreamhost.com (Postfix) with ESMTP id A27AE15D8D5; Thu, 28 Jan 2010 16:04:24 -0800 (PST)
Date: Fri, 29 Jan 2010 00:04:22 +0000
From: Ian Hickson <ian@hixie.ch>
To: "Ian Fette (�~B��~B��~C��~C~U�~B��~C~C�~C~F�~B�)" <ifette@google.com>
In-Reply-To: <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.1001282333130.22053@ps20323.dreamhostps.com>
References: <de17d48e1001280012i2657b587i83cda30f50013e6b@mail.gmail.com> <4B614CEC.2050400@ericsson.com> <Pine.LNX.4.64.1001280856380.22020@ps20323.dreamhostps.com> <4B616F17.4030402@ericsson.com> <4B619223.60408@webtide.com> <Pine.LNX.4.64.1001282141080.22020@ps20323.dreamhostps.com> <4B620B8F.6030706@gmx.de> <Pine.LNX.4.64.1001282217320.22053@ps20323.dreamhostps.com> <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com>
Content-Language: en-GB-hixie
Content-Style-Type: text/css
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-1555694626-1357462518-1264723462=:22053"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2010 00:04:05 -0000

On Thu, 28 Jan 2010, Ian Fette (ã~B¤ã~B¢ã~C³ã~C~Uã~B§ã~C~Cã~C~Fã~B£) wrote:
>
> So, moving back to the original question... I am very concerned here. A 
> relatively straightforward question was asked, with rationale for the 
> question. "May/Should WebSocket use HttpOnly cookie while Handshaking? I 
> think it would be useful to use HttpOnly cookie on WebSocket so that we 
> could authenticate the WebSocket connection by the auth token cookie 
> which might be HttpOnly for security reason."

I replied to ukai on IRC -- independent of any politics, I plan to edit 
the spec as he suggested next week (allowing httpOnly cookies), along with 
going through all the other pending feedback on the spec.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

v2.23.0 | Report a Bug | By Email