IETF Logo Mail Archive

Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?

Maciej Stachowiak <mjs@apple.com> Sat, 30 January 2010 02:28 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1587B3A6872 for <hybi@core3.amsl.com>; Fri, 29 Jan 2010 18:28:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.234
X-Spam-Level:
X-Spam-Status: No, score=-105.234 tagged_above=-999 required=5 tests=[AWL=-0.032, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wO3JnWV7wY9P for <hybi@core3.amsl.com>; Fri, 29 Jan 2010 18:28:18 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 506B43A689B for <hybi@ietf.org>; Fri, 29 Jan 2010 18:28:18 -0800 (PST)
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out4.apple.com (Postfix) with ESMTP id A5699893DD11 for <hybi@ietf.org>; Fri, 29 Jan 2010 18:28:42 -0800 (PST)
X-AuditID: 11807130-b7b0aae00000102c-34-4b63995ac961
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay11.apple.com (Apple SCV relay) with SMTP id 94.B9.04140.A59936B4; Fri, 29 Jan 2010 18:28:42 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_D7yzKOLUxERkpJY7qj6j5Q)"
Received: from [17.151.93.115] by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KX100558G7U3R70@et.apple.com> for hybi@ietf.org; Fri, 29 Jan 2010 18:28:42 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <4B62ECFA.5080304@webtide.com>
Date: Fri, 29 Jan 2010 18:28:41 -0800
Message-id: <C485F6C3-642B-4897-A034-E4A4BC4316B5@apple.com>
References: <de17d48e1001280012i2657b587i83cda30f50013e6b@mail.gmail.com> <4B614CEC.2050400@ericsson.com> <Pine.LNX.4.64.1001280856380.22020@ps20323.dreamhostps.com> <4B616F17.4030402@ericsson.com> <4B619223.60408@webtide.com> <Pine.LNX.4.64.1001282141080.22020@ps20323.dreamhostps.com> <4B620B8F.6030706@gmx.de> <Pine.LNX.4.64.1001282217320.22053@ps20323.dreamhostps.com> <bbeaa26f1001281449q1a6e1813q3f537fe15a5a9d60@mail.gmail.com> <4B627C98.60406@ericsson.com> <bbeaa26f1001282222p1ccb6a34s7fe79609c4a832e5@mail.gmail.com> <4B62ECFA.5080304@webtide.com>
To: Greg Wilkins <gregw@webtide.com>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: hybi@ietf.org
Subject: Re: [hybi] [whatwg] HttpOnly cookie for WebSocket?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jan 2010 02:28:19 -0000

On Jan 29, 2010, at 6:13 AM, Greg Wilkins wrote:

> Ian Fette (イアンフェッティ) wrote:
> 
>> 
>> cookies are already sent with WS, the only question is whether that
>> includes or excludes cookies that are HttpOnly
> 
> The upgrade request is a HTTP requests (well at least it should be
> a HTTP request, and not just something that strongly resembles one),
> so I believe HttpOnly cookies should be included.
> 
> This would not expose the cookie and it's value to the
> javascript in browser, nor can I think of any way that this reduces
> the security provided by HttpOnly.

I agree. The purpose of HttpOnly is to prevent the cookie from being seen by scripting APIs, not to limit the network protocols over which it is provided. Thus, sending it over WebSocket connections would be in line with its purpose, and I think this is the case whether or not we think the WebSocket upgrade request is or is not HTTP.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email