http://simonwillison.net/2008-08-29T02:01:48+00:00Simon Willison2008-08-29T02:01:48+00:002008-08-29T02:01:48+00:00https://simonwillison.net/2008/Aug/29/coding/#atom-tag

<p><strong><a href="http://www.codinghorror.com/blog/archives/001167.html">Coding Horror: Protecting Your Cookies: HttpOnly</a></strong></p> Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers. <p>Tags: <a href="https://simonwillison.net/tags/html">html</a>, <a href="https://simonwillison.net/tags/httponly">httponly</a>, <a href="https://simonwillison.net/tags/javascript">javascript</a>, <a href="https://simonwillison.net/tags/jeff-atwood">jeff-atwood</a>, <a href="https://simonwillison.net/tags/sanitization">sanitization</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/xss">xss</a></p>

2007-09-06T06:27:33+00:002007-09-06T06:27:33+00:00https://simonwillison.net/2007/Sep/6/brads/#atom-tag

<p><strong><a href="http://brad.livejournal.com/2340595.html">HTTPOnly cookie support in Firefox</a></strong></p> Five years after the bug was filed, HTTPOnly cookie support has gone in to the Mozilla 1.8 branch. This is a defence in depth feature that has been in IE for years—it lets you set cookies that aren’t available to JavaScript, and hence can’t be hijacked in the event of an XSS flaw. <p>Tags: <a href="https://simonwillison.net/tags/brad-fitzpatrick">brad-fitzpatrick</a>, <a href="https://simonwillison.net/tags/firefox">firefox</a>, <a href="https://simonwillison.net/tags/httponly">httponly</a>, <a href="https://simonwillison.net/tags/internet-explorer">internet-explorer</a>, <a href="https://simonwillison.net/tags/javascript">javascript</a>, <a href="https://simonwillison.net/tags/mozilla">mozilla</a>, <a href="https://simonwillison.net/tags/security">security</a></p>

2007-03-25T21:37:44+00:002007-03-25T21:37:44+00:00https://simonwillison.net/2007/Mar/25/mozilla/#atom-tag

<p><strong><a href="http://www.mozilla.org/projects/firefox/3.0a3/releasenotes/">Mozilla Gran Paradiso Alpha 3 Release Notes</a></strong></p> New features include animated PNGs, <code>&lt;link rel="offline-resource"&gt;</code> and the <code>HttpOnly</code> cookie flag which indicates that a cookie should not be accessible to script (borrowed from IE). <p>Tags: <a href="https://simonwillison.net/tags/granparadiso">granparadiso</a>, <a href="https://simonwillison.net/tags/httponly">httponly</a>, <a href="https://simonwillison.net/tags/mozilla">mozilla</a>, <a href="https://simonwillison.net/tags/offlinebrowsing">offlinebrowsing</a></p>