[whatwg] HttpOnly cookies reference

Den.Molib den.molib at gmail.com
Wed Mar 4 09:51:44 PST 2009

Section 3.2.3 says:
> This specification does not define what makes an HTTP-only cookie, and
> at the time of publication the editor is not aware of any reference
> for HTTP-only cookies. They are a feature supported by some Web
> browsers wherein an "|httponly|" parameter added to the cookie string
> causes the cookie to be hidden from script.
It is my understanding that Http-only cookies were first defined by
Michael Howard on his blog entry titled 'Some Bad News and Some Good
News' (October 21, 2002).

That content is currently hosted at:
http://msdn.microsoft.com/en-us/library/ms972826.aspx (scroll to the
section 'The Good News: Mitigating Cross-Site Scripting Issues')
Microsoft urls are not too stable. It can also be reached from
(an old url, being used on
or from the Wayback machine

More information about the whatwg mailing list