Monday, March 19, 2007

Firefox 3.0 httpOnly

Ok, when firefox 3.0 is released, they will have httpOnly function included in their browser. httpOnly is a new attribute for cookies to stop client side script from executing, thus preventing most of the XSS. I am not sure if it stops 100% of XSS, but still its a good move from the Firefox team to implement it. More stories can be found here:

http://www.networkcomputing.com/blog/dailyblog/archives/2007/03/no_cookie_for_y.html


A typical httpOnly cookie looks like this:

Set-Cookie: USER=hackathology; expires=Saturday, 18-March-07 09:28:18 GMT; HttpOnly

2 comments:

Anonymous said...

It's said that implementation of htttpOnly stops XSS completely.

Anonymous said...

Well, i wouldn't place my bet on it, but lets just see. Jeremiah Grossman wrote a whitepaper where if the web server supports the trace option, you can still use XMLHTTP to perform XSS. Lets just see when it is launched.

hackathology