Closed Bug 1364757 Opened 7 years ago Closed 4 years ago

HttpOnly documentation explanation ambiguity

Categories

(Developer Documentation Graveyard :: General, defect, P3)

Product:
Developer Documentation Graveyard
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: giovanni, Assigned: fs)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170413192749

Steps to reproduce:

Check the documentation at:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies



Actual results:

This paragraph:

To prevent cross-site scripting (XSS) attacks, HTTP-only cookies aren't accessible via JavaScript through the Document.cookie property, the XMLHttpRequest and Request APIs. Set this flag when you don't need your cookies available in JavaScript. In particular, if you use cookies only to define a session, you don't need it in JavaScript and the HttpOnly flag should be set.



Expected results:

The problem is that the first time I read this I understood that XMLHttpRequest had no access at all to HttpOnly cookies, i.e. they wouldn't send them to the server. Obviously this is false, otherwise they would be seriously useless.

Moreover, it is not true that HttpOnly affects the APIs of XMLHttpRequest, the only thing that I can think of is getAllResponseHeaders(), which never returns the "Set-Cookie" header even if they are NOT set as HttpOnly, thus I propose to rephase that paragraph to something like this, but I'm sure that you can think of a better way, I just wanted to point out that the way it is now is quite bad:

To prevent cross-site scripting (XSS) attacks, HttpOnly cookies aren't accessible via Javascript through the Document.cookie property. Those cookies are only sent directly to the server via regular requests, XMLHttpRequest and Request APIs. As an example, if you use cookies only to determine a server-side session, you don't need it in JavaScript.

I wouldn't even mention that with XMLHttpRequest you cannot access cookies via getAllResponseHeaders(), it is implied, and it is well documented in the related doc page.
Assignee: nobody → fscholz
Priority: -- → P3
MDN Web Docs' bug reporting has now moved to GitHub. From now on, please file content bugs at https://github.com/mdn/sprints/issues/ and platform bugs at https://github.com/mdn/kuma/issues/.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.