Ok, when firefox 3.0 is released, they will have httpOnly function included in their browser. httpOnly is a new attribute for cookies to stop client side script from executing, thus preventing most of the XSS. I am not sure if it stops 100% of XSS, but still its a good move from the Firefox team to implement it. More stories can be found here:
http://www.networkcomputing.com/blog/dailyblog/archives/2007/03/no_cookie_for_y.html
A typical httpOnly cookie looks like this:
Set-Cookie: USER=hackathology; expires=Saturday, 18-March-07 09:28:18 GMT; HttpOnly
Monday, March 19, 2007
Subscribe to:
Post Comments (Atom)
2 comments:
It's said that implementation of htttpOnly stops XSS completely.
Well, i wouldn't place my bet on it, but lets just see. Jeremiah Grossman wrote a whitepaper where if the web server supports the trace option, you can still use XMLHTTP to perform XSS. Lets just see when it is launched.
hackathology
Post a Comment