Closed
Bug 1364757
Opened 7 years ago
Closed 4 years ago
HttpOnly documentation explanation ambiguity
Categories
(Developer Documentation Graveyard :: General, defect, P3)
Developer Documentation Graveyard
General
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: giovanni, Assigned: fs)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0 Build ID: 20170413192749 Steps to reproduce: Check the documentation at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies Actual results: This paragraph: To prevent cross-site scripting (XSS) attacks, HTTP-only cookies aren't accessible via JavaScript through the Document.cookie property, the XMLHttpRequest and Request APIs. Set this flag when you don't need your cookies available in JavaScript. In particular, if you use cookies only to define a session, you don't need it in JavaScript and the HttpOnly flag should be set. Expected results: The problem is that the first time I read this I understood that XMLHttpRequest had no access at all to HttpOnly cookies, i.e. they wouldn't send them to the server. Obviously this is false, otherwise they would be seriously useless. Moreover, it is not true that HttpOnly affects the APIs of XMLHttpRequest, the only thing that I can think of is getAllResponseHeaders(), which never returns the "Set-Cookie" header even if they are NOT set as HttpOnly, thus I propose to rephase that paragraph to something like this, but I'm sure that you can think of a better way, I just wanted to point out that the way it is now is quite bad: To prevent cross-site scripting (XSS) attacks, HttpOnly cookies aren't accessible via Javascript through the Document.cookie property. Those cookies are only sent directly to the server via regular requests, XMLHttpRequest and Request APIs. As an example, if you use cookies only to determine a server-side session, you don't need it in JavaScript. I wouldn't even mention that with XMLHttpRequest you cannot access cookies via getAllResponseHeaders(), it is implied, and it is well documented in the related doc page.
Updated•5 years ago
|
Assignee: nobody → fscholz
Priority: -- → P3
Comment 1•4 years ago
|
||
MDN Web Docs' bug reporting has now moved to GitHub. From now on, please file content bugs at https://github.com/mdn/sprints/issues/ and platform bugs at https://github.com/mdn/kuma/issues/.
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•