Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

HTTPOnly cookie support in Firefox. Five years after the bug was filed, HTTPOnly cookie support has gone in to the Mozilla 1.8 branch. This is a defence in depth feature that has been in IE for years—it lets you set cookies that aren’t available to JavaScript, and hence can’t be hijacked in the event of an XSS flaw.

Posted 6th September 2007 at 6:27 am

Tagged , , , , , ,

2 comments

  1. Saying that httponly cookies prevent "hijacking" gives a false sense of security. They can still be used during an XSS attack simply by making additional HTTP requests. The only things it prevents are

    1. Seeing the contents of the cookies, which is usually uninteresting.
    2. Attacks against certain complicated multi-host setups, such as livejournal.

    When I hear someone other than livejournal clamoring for httponly cookies, I'm suspicious that they don't understand that httponly cookies don't actually protect them at all.

    Jesse Ruderman - 6th September 2007 23:59 - #

  2. Plus, it seems the Mozilla implementation is vulnerable.

    http://ha.ckers.org/blog/20070719/firefox-implemen ts-httponly-and-is-vulnerable-to-xmlhttprequest/

    Zsolt - 8th September 2007 10:30 - #

Comments are closed.
A django site