It saves bandwidth and leads to faster website loading. A cookie is transported ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		leokun on Aug 18, 2013 \| parent \| context \| favorite \| on: Cookieless cookies It saves bandwidth and leads to faster website loading. A cookie is transported with every request. This is why sites use cookie free domains for static content. If etags were used instead a separate domain wouldn't be necessary. It's more secure. If identifying session data is not accessible to JavaScript, it makes a site more secure from XSS attacks.

nsmartt on Aug 18, 2013 [–]

> It's more secure. If identifying session data is not accessible to JavaScript, it makes a site more secure from XSS attacks.

HTTPOnly should take care of this.

leokun on Aug 18, 2013 | [–]

It depends, HTTPOnly cookies are still accessible to JavaScript in some conditions, like those using an Android browser:

https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact