仕様書

意味

[16] HttpOnly 属性はクッキーの適用範囲を HTTP 要求だけに限定します。 >>15

[17] HttpOnly 属性のついたクッキーは「非non- HTTP」 API からはアクセスできません >>15。 具体的には document.cookie 属性からこれを取得することはできません。

「非HTTP」API

[23] document.cookie は「非HTTP」APIです >>22。つまり HttpOnly クッキーは document.cookie で取得できません。

[26] <meta http-equiv=Set-Cookie> は「非HTTP」API です >>25。

[29] HTTP Set-Cookie: / Cookie: ヘッダーは、「非HTTP」APIではありません。

[28] WebSocket接続の確立時の Cookie: ヘッダーは、「非HTTP」API ではありません >>27。 Set-Cookie: も同様と思われます。

構文

 httponly-av       = "HttpOnly"

処理モデル

[21] 属性値はあっても無視されます >>20。

歴史

[9] Mitigating Cross-site Scripting With HTTP-only Cookies (2007-01-18 14:03:44 +09:00 版) http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

[8] httpOnly cookie flag support in PHP 5.2 - iBlog - Ilia Alshanetsky (2007-01-18 14:04:40 +09:00 版) http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html

[7] Bug 178993 – MSIE-extension: HttpOnly cookie attribute for cross-site scripting vulnerability prevention (2007-01-18 14:05:01 +09:00 版) https://bugzilla.mozilla.org/show_bug.cgi?id=178993

[6] robubu » Blog Archive » HttpOnly please (2007-01-18 14:02:56 +09:00 版) http://robubu.com/?p=15

[2] HTTPOnly Fix In MSXML ha.ckers.org web application security lab (2008-11-21 17:47:39 +09:00 版) http://ha.ckers.org/blog/20081111/httponly-fix-in-msxml/

[3] Bug 380418 – XMLHttpRequest allows reading HTTPOnly cookies (2008-11-21 17:49:08 +09:00 版) https://bugzilla.mozilla.org/show_bug.cgi?id=380418

[4] (X)HTML5 Tracking (2008-12-02 19:46:38 +09:00 版) http://html5.org/tools/web-apps-tracker?from=2516&to=2517

[5] Scope of HTTPOnly Cookies (2008-12-15 19:00:11 +09:00 版) http://docs.google.com/View?docid=dxxqgkd_0cvcqhsdw

メモ

[11] mod_rewrite - Apache HTTP Server (2009-10-04 03:10:27 +09:00 版) http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#RewriteRule

[30] Proposal for httpOnly cookies access via NPAPI (2012-06-04 22:14:52 +09:00 版) https://mail.mozilla.org/pipermail/plugin-futures/2012-June/000525.html

[31] Proposal for httpOnly cookies access via NPAPI (2012-06-04 22:51:09 +09:00 版) https://mail.mozilla.org/pipermail/plugin-futures/2012-June/000526.html

[32] NPAPI:HttpOnlyCookies - MozillaWiki (2015-05-01 19:04:11 +09:00 版) https://wiki.mozilla.org/NPAPI:HttpOnlyCookies

[34] (X)HTML5 Tracking (2010-02-01 21:41:28 +09:00 版) http://html5.org/tools/web-apps-tracker?from=4639&to=4640

[36] ChromeDriver は httpOnly を設定して Add Cookie を実行しても、無視されて普通のクッキーになってしまいます。2017-05-18T06:15:19.100Z

[37] Clearly indicate that webdriver can access HttpOnly cookies (shs96c著, 2017-08-03 19:40:27 +09:00) https://github.com/w3c/webdriver/commit/73ae1efefb7c143c41e5ba521206d35aa4a22b24

[38] "All associated cookies" must include http-only cookies. · Issue #971 · w3c/webdriver (2017-08-10 18:15:36 +09:00) https://github.com/w3c/webdriver/issues/971

[39] Clearly indicate that webdriver can access HttpOnly cookies by shs96c · Pull Request #994 · w3c/webdriver (2017-08-10 18:15:58 +09:00) https://github.com/w3c/webdriver/pull/994

[40] Actions required to mitigate Speculative Side-Channel Attack techniques - The Chromium Projects (2018-01-09 10:37:14 +09:00) https://www.chromium.org/Home/chromium-security/ssca

[41] Meltdown/Spectre  |  Web  |  Google Developers (2018-02-08 00:05:08 +09:00) https://developers.google.com/web/updates/2018/02/meltdown-spectre