IETF Logo Mail Archive

Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?

Greg Wilkins <gregw@webtide.com> Fri, 29 January 2010 14:13 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A39323A6A80 for <hybi@core3.amsl.com>; Fri, 29 Jan 2010 06:13:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.469
X-Spam-Level:
X-Spam-Status: No, score=-2.469 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CSde+eXwzecz for <hybi@core3.amsl.com>; Fri, 29 Jan 2010 06:13:10 -0800 (PST)
Received: from mail-bw0-f224.google.com (mail-bw0-f224.google.com [209.85.218.224]) by core3.amsl.com (Postfix) with ESMTP id 414983A6A7C for <hybi@ietf.org>; Fri, 29 Jan 2010 06:13:10 -0800 (PST)
Received: by bwz24 with SMTP id 24so42870bwz.29 for <hybi@ietf.org>; Fri, 29 Jan 2010 06:13:26 -0800 (PST)
Received: by 10.204.49.68 with SMTP id u4mr566044bkf.42.1264774405987; Fri, 29 Jan 2010 06:13:25 -0800 (PST)
Received: from ?10.10.1.11? (60-242-119-126.tpgi.com.au [60.242.119.126]) by mx.google.com with ESMTPS id 14sm919471bwz.1.2010.01.29.06.13.21 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 29 Jan 2010 06:13:24 -0800 (PST)
Message-ID: <4B62ECFA.5080304@webtide.com>
Date: Sat, 30 Jan 2010 01:13:14 +1100
From: Greg Wilkins <gregw@webtide.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: ifette@google.com
References: <de17d48e1001280012i2657b587i83cda30f50013e6b@mail.gmail.com> <4B614CEC.2050400@ericsson.com> <Pine.LNX.4.64.1001280856380.22020@ps20323.dreamhostps.com> <4B616F17.4030402@ericsson.com> <4B619223.60408@webtide.com> <Pine.LNX.4.64.1001282141080.22020@ps20323.dreamhostps.com> <4B620B8F.6030706@gmx.de> <Pine.LNX.4.64.1001282217320.22053@ps20323.dreamhostps.com> <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com> <4B627C98.60406@ericsson.com> <bbeaa26f1001282222p1ccb6a34s7fe79609c4a832e5@mail.gmail.com>
In-Reply-To: <bbeaa26f1001282222p1ccb6a34s7fe79609c4a832e5@mail.gmail.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: hybi@ietf.org
Subject: Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2010 14:13:11 -0000

Ian Fette (イアンフェッティ) wrote:

>
> cookies are already sent with WS, the only question is whether that
> includes or excludes cookies that are HttpOnly

The upgrade request is a HTTP requests (well at least it should be
a HTTP request, and not just something that strongly resembles one),
so I believe HttpOnly cookies should be included.

This would not expose the cookie and it's value to the
javascript in browser, nor can I think of any way that this reduces
the security provided by HttpOnly.


regards

v2.23.0 | Report a Bug | By Email