Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
Maciej Stachowiak <mjs@apple.com> Sat, 30 January 2010 02:28 UTC
Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1587B3A6872 for <hybi@core3.amsl.com>; Fri, 29 Jan 2010 18:28:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.234
X-Spam-Level:
X-Spam-Status: No, score=-105.234 tagged_above=-999 required=5 tests=[AWL=-0.032, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wO3JnWV7wY9P for <hybi@core3.amsl.com>; Fri, 29 Jan 2010 18:28:18 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 506B43A689B for <hybi@ietf.org>; Fri, 29 Jan 2010 18:28:18 -0800 (PST)
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out4.apple.com (Postfix) with ESMTP id A5699893DD11 for <hybi@ietf.org>; Fri, 29 Jan 2010 18:28:42 -0800 (PST)
X-AuditID: 11807130-b7b0aae00000102c-34-4b63995ac961
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay11.apple.com (Apple SCV relay) with SMTP id 94.B9.04140.A59936B4; Fri, 29 Jan 2010 18:28:42 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_D7yzKOLUxERkpJY7qj6j5Q)"
Received: from [17.151.93.115] by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KX100558G7U3R70@et.apple.com> for hybi@ietf.org; Fri, 29 Jan 2010 18:28:42 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <4B62ECFA.5080304@webtide.com>
Date: Fri, 29 Jan 2010 18:28:41 -0800
Message-id: <C485F6C3-642B-4897-A034-E4A4BC4316B5@apple.com>
References: <de17d48e1001280012i2657b587i83cda30f50013e6b@mail.gmail.com> <4B614CEC.2050400@ericsson.com> <Pine.LNX.4.64.1001280856380.22020@ps20323.dreamhostps.com> <4B616F17.4030402@ericsson.com> <4B619223.60408@webtide.com> <Pine.LNX.4.64.1001282141080.22020@ps20323.dreamhostps.com> <4B620B8F.6030706@gmx.de> <Pine.LNX.4.64.1001282217320.22053@ps20323.dreamhostps.com> <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com> <4B627C98.60406@ericsson.com> <bbeaa26f1001282222p1ccb6a34s7fe79609c4a832e5@mail.gmail.com> <4B62ECFA.5080304@webtide.com>
To: Greg Wilkins <gregw@webtide.com>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: hybi@ietf.org
Subject: Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jan 2010 02:28:19 -0000
On Jan 29, 2010, at 6:13 AM, Greg Wilkins wrote: > Ian Fette (イアンフェッティ) wrote: > >> >> cookies are already sent with WS, the only question is whether that >> includes or excludes cookies that are HttpOnly > > The upgrade request is a HTTP requests (well at least it should be > a HTTP request, and not just something that strongly resembles one), > so I believe HttpOnly cookies should be included. > > This would not expose the cookie and it's value to the > javascript in browser, nor can I think of any way that this reduces > the security provided by HttpOnly. I agree. The purpose of HttpOnly is to prevent the cookie from being seen by scripting APIs, not to limit the network protocols over which it is provided. Thus, sending it over WebSocket connections would be in line with its purpose, and I think this is the case whether or not we think the WebSocket upgrade request is or is not HTTP. Regards, Maciej
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Salvatore Loreto
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Salvatore Loreto
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Wenbo Zhu
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Hickson
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Greg Wilkins
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Hickson
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Julian Reschke
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Hickson
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Fette (イアンフェッティ)
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Maciej Stachowiak
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Rob Sayre
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Hickson
- [hybi] Process! was: [whatwg] HttpOnly cookie for… Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Rob Sayre
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Fette (イアンフェッティ)
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Salvatore Loreto
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Ian Fette (イアンフェッティ)
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… SM
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Martin J. Dürst
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… SM
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Julian Reschke
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Francis Brosnan Blazquez
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Justin Erenkrantz
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… SM
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Jamie Lokier
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Jamie Lokier
- [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Roberto Peon
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… SM
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Greg Wilkins
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Maciej Stachowiak
- [hybi] Intermediaries and idle connections (was R… Maciej Stachowiak
- [hybi] Reliable message delivery (was Re: Technic… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Technical feedback. was: Process! Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Technical feedback. was: Process! Justin Erenkrantz
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Technical feedback. was: Process! Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Technical feedback. was: Process! Maciej Stachowiak
- Re: [hybi] Technical feedback. was: Process! Roberto Peon
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- [hybi] Process, was: Technical feedback. was: Pro… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Process, was: Technical feedback. was:… Justin Erenkrantz
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Technical feedback. was: Process! Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Process, was: Technical feedback. was:… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] Process, was: Technical feedback. was:… SM
- Re: [hybi] Process, was: Technical feedback. was:… Greg Wilkins
- Re: [hybi] Process, was: Technical feedback. was:… Maciej Stachowiak
- Re: [hybi] Process, was: Technical feedback. was:… Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Jamie Lokier
- Re: [hybi] Intermediaries and idle connections (w… Maciej Stachowiak
- Re: [hybi] Intermediaries and idle connections (w… Greg Wilkins
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? John Fallows
- Re: [hybi] Intermediaries and idle connections (w… Justin Erenkrantz
- Re: [hybi] [whatwg] HttpOnly cookie for WebSocket? Salvatore Loreto
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Julian Reschke
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Ian Hickson
- Re: [hybi] Process! Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Salvatore Loreto
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Anne van Kesteren
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Anne van Kesteren
- Re: [hybi] Technical feedback. was: Process! Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Thomson, Martin
- Re: [hybi] Reliable message delivery (was Re: Tec… Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Anne van Kesteren
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Process! SM
- Re: [hybi] Process! Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Ian Hickson
- Re: [hybi] Technical feedback. was: Process! Justin Erenkrantz
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Thomson, Martin
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Process! was: [whatwg] HttpOnly cookie… Martin J. Dürst
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Reliable message delivery (was Re: Tec… Francis Brosnan Blazquez
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Jamie Lokier
- Re: [hybi] Technical feedback. was: Process! Jamie Lokier
- Re: [hybi] Technical feedback. was: Process! Jamie Lokier
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Technical feedback. was: Process! Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Mridul Muralidharan
- Re: [hybi] Reliable message delivery (was Re: Tec… Ian Hickson
- Re: [hybi] Reliable message delivery (was Re: Tec… Greg Wilkins
- Re: [hybi] Reliable message delivery (was Re: Tec… Mridul Muralidharan
- Re: [hybi] Reliable message delivery (was Re: Tec… Pieter Hintjens
- Re: [hybi] Reliable message delivery (was Re: Tec… Maciej Stachowiak
- Re: [hybi] Reliable message delivery (was Re: Tec… Mridul Muralidharan
- Re: [hybi] Reliable message delivery (was Re: Tec… Justin Erenkrantz
- Re: [hybi] Reliable message delivery (was Re: Tec… Scott Ferguson
- Re: [hybi] Reliable message delivery (was Re: Tec… Graham Klyne
- Re: [hybi] Reliable message delivery (was Re: Tec… Salvatore Loreto
- Re: [hybi] Reliable message delivery (was Re: Tec… Adam Barth
- Re: [hybi] Reliable message delivery (was Re: Tec… Salvatore Loreto
- Re: [hybi] Reliable message delivery (was Re: Tec… Ian Hickson