[whatwg] HttpOnly cookies reference

Den.Molib den.molib at gmail.com
Wed Mar 4 09:51:44 PST 2009


Section 3.2.3 says:
> This specification does not define what makes an HTTP-only cookie, and
> at the time of publication the editor is not aware of any reference
> for HTTP-only cookies. They are a feature supported by some Web
> browsers wherein an "|httponly|" parameter added to the cookie string
> causes the cookie to be hidden from script.
It is my understanding that Http-only cookies were first defined by
Michael Howard on his blog entry titled 'Some Bad News and Some Good
News' (October 21, 2002).

That content is currently hosted at:
http://msdn.microsoft.com/en-us/library/ms972826.aspx (scroll to the
section 'The Good News: Mitigating Cross-Site Scripting Issues')
Microsoft urls are not too stable. It can also be reached from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure10102002.asp?frame=true
(an old url, being used on
http://www.microsoft.com/presspass/features/2002/oct02/10-23xss-ie.mspx)
or from the Wayback machine
http://web.archive.org/web/20061007124347/http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp





More information about the whatwg mailing list