[tshadwell]

The primary problem this hopes to solve is actually CSRF. Simply generating an HTML form for a website for any website and submitting it sends the cookies of the target website, regardless of where the form is based. XHR isn't so much of an issue as it has same origin policy restrictions.

This spec allows you to set cookies that turn this outdated and age-old security policy on its head, so instead of having to generate and validate cryptographically derived client-correlated tokens on every form (CSRF tokens), we can simply set this flag and refuse to send these cookies from any other site. This has long been known to be the right thing to do, which is why other new-age web policies like CORS refuse to send cookies completely by default.

The HttpOnly flag is meant to mitigate cookie theft risk via XSS. To my knowledge this particular innovation actually does nothing to that risk.

[sintaxi]

Yep, CSRF is a completely opt-in problem to have. There is pretty much zero (valid) reasons to need Cookies anymore. Although I agree this spec is an improvement. Its main purpose should be to make legacy systems more secure. The best course of action would be to avoid cookies entirely.

[tshadwell]

What are you proposing to replace cookies with? Auth tokens and XHR? Localstorage? Why?