Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require HttpOnly browser cookies #1937

Open
jimfenton opened this issue Jun 18, 2019 · 2 comments
Open

Require HttpOnly browser cookies #1937

jimfenton opened this issue Jun 18, 2019 · 2 comments
Labels
63B future consideration/work item

Comments

@jimfenton
Copy link
Member

In 800-63B Section 7.1.1, use of HttpOnly is a SHOULD. Consider making it a SHALL to improve resistance to XSS and similar attacks.
@brodygov
Copy link

"SHOULD" seems proportionate to me. Setting HttpOnly in cookies will preclude the use of certain types of cross-origin requests, where tokens are needed in JavaScript.

There are sometimes alternatives using CORS and cross-origin requests with .withCredentials = true, but these can be more complicated to implement without advance planning.

Perhaps there's some language that could convey "should set HttpOnly without a specific good reason not to".

@jricher
Copy link
Collaborator

jricher commented Jul 12, 2019

For what it's worth, the normative "SHOULD" translates to "do this unless you have a very good and very specific reason not to do it", so I am in favor of keeping this a SHOULD, but perhaps with better explanation as to WHY.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
63B future consideration/work item
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jricher @jimfenton @brodygov and others