[html5] r2517 - [] (0) Mention HTTP-only cookies. (credit: ak)
whatwg at whatwg.org
whatwg at whatwg.org
Tue Dec 2 02:03:47 PST 2008
Author: ianh
Date: 2008-12-02 02:03:46 -0800 (Tue, 02 Dec 2008)
New Revision: 2517
Modified:
index
source
Log:
[] (0) Mention HTTP-only cookies. (credit: ak)
Modified: index
===================================================================
--- index 2008-12-02 07:07:04 UTC (rev 2516)
+++ index 2008-12-02 10:03:46 UTC (rev 2517)
@@ -5791,7 +5791,7 @@
authority, it must return the empty string. Otherwise, it must
return the same string as the value of the <code title="">Cookie</code> HTTP header it would include if <a href=#fetch title=fetch>fetching</a> the resource indicated by <a href="#the-document's-address">the
document's address</a> over HTTP, as per RFC 2109 section 4.3.4
- or later specifications. <a href=#refsRFC2109>[RFC2109]</a> <a href=#refsRFC2965>[RFC2965]</a></p>
+ or later specifications, excluding HTTP-only cookies. <a href=#refsRFC2109>[RFC2109]</a> <a href=#refsRFC2965>[RFC2965]</a></p>
<p>On setting, if the document is not associated with a
<a href=#browsing-context>browsing context</a> then the user agent must raise an
@@ -5805,8 +5805,15 @@
<a href=#fetch>fetch</a> <a href="#the-document's-address">the document's address</a> over HTTP,
and had received a response with a <code>Set-Cookie</code> header
whose value was the specified value, as per RFC 2109 sections 4.3.1,
- 4.3.2, and 4.3.3 or later specifications. <a href=#refsRFC2109>[RFC2109]</a> <a href=#refsRFC2965>[RFC2965]</a></p>
+ 4.3.2, and 4.3.3 or later specifications, but without overwriting
+ the values of HTTP-only cookies. <a href=#refsRFC2109>[RFC2109]</a> <a href=#refsRFC2965>[RFC2965]</a></p>
+ <p class=note>This specification does not define what makes an
+ HTTP-only cookie, and at the time of publication the editor is not
+ aware of any reference for HTTP-only cookies. They are a feature
+ supported by some Web browsers wherein an "<code title="">httponly</code>" parameter added to the cookie string
+ causes the cookie to be hidden from script.</p>
+
<p class=note>Since the <code title=dom-document-cookie><a href=#dom-document-cookie>cookie</a></code> attribute is accessible
across frames, the path restrictions on cookies are only a tool to
help manage which cookies are sent to which parts of the site, and
Modified: source
===================================================================
--- source 2008-12-02 07:07:04 UTC (rev 2516)
+++ source 2008-12-02 10:03:46 UTC (rev 2517)
@@ -5792,7 +5792,8 @@
title="">Cookie</code> HTTP header it would include if <span
title="fetch">fetching</span> the resource indicated by <span>the
document's address</span> over HTTP, as per RFC 2109 section 4.3.4
- or later specifications. <a href="#refsRFC2109">[RFC2109]</a> <a
+ or later specifications, excluding HTTP-only cookies. <a
+ href="#refsRFC2109">[RFC2109]</a> <a
href="#refsRFC2965">[RFC2965]</a></p>
<p>On setting, if the document is not associated with a
@@ -5807,10 +5808,18 @@
<span>fetch</span> <span>the document's address</span> over HTTP,
and had received a response with a <code>Set-Cookie</code> header
whose value was the specified value, as per RFC 2109 sections 4.3.1,
- 4.3.2, and 4.3.3 or later specifications. <a
+ 4.3.2, and 4.3.3 or later specifications, but without overwriting
+ the values of HTTP-only cookies. <a
href="#refsRFC2109">[RFC2109]</a> <a
href="#refsRFC2965">[RFC2965]</a></p>
+ <p class="note">This specification does not define what makes an
+ HTTP-only cookie, and at the time of publication the editor is not
+ aware of any reference for HTTP-only cookies. They are a feature
+ supported by some Web browsers wherein an "<code
+ title="">httponly</code>" parameter added to the cookie string
+ causes the cookie to be hidden from script.</p>
+
<p class="note">Since the <code
title="dom-document-cookie">cookie</code> attribute is accessible
across frames, the path restrictions on cookies are only a tool to
More information about the Commit-Watchers
mailing list