HttpOnly documentation explanation ambiguity



Developer Documentation
7 months ago
7 months ago


(Reporter: giovanni, Unassigned)





7 months ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170413192749

Steps to reproduce:

Check the documentation at:

Actual results:

This paragraph:

To prevent cross-site scripting (XSS) attacks, HTTP-only cookies aren't accessible via JavaScript through the Document.cookie property, the XMLHttpRequest and Request APIs. Set this flag when you don't need your cookies available in JavaScript. In particular, if you use cookies only to define a session, you don't need it in JavaScript and the HttpOnly flag should be set.

Expected results:

The problem is that the first time I read this I understood that XMLHttpRequest had no access at all to HttpOnly cookies, i.e. they wouldn't send them to the server. Obviously this is false, otherwise they would be seriously useless.

Moreover, it is not true that HttpOnly affects the APIs of XMLHttpRequest, the only thing that I can think of is getAllResponseHeaders(), which never returns the "Set-Cookie" header even if they are NOT set as HttpOnly, thus I propose to rephase that paragraph to something like this, but I'm sure that you can think of a better way, I just wanted to point out that the way it is now is quite bad:

To prevent cross-site scripting (XSS) attacks, HttpOnly cookies aren't accessible via Javascript through the Document.cookie property. Those cookies are only sent directly to the server via regular requests, XMLHttpRequest and Request APIs. As an example, if you use cookies only to determine a server-side session, you don't need it in JavaScript.

I wouldn't even mention that with XMLHttpRequest you cannot access cookies via getAllResponseHeaders(), it is implied, and it is well documented in the related doc page.
You need to log in before you can comment on or make changes to this bug.