RETURN $ecure;

Security, Technology and Life

Opera to support HttpOnly

with 3 comments

Heya. I haven’t blogged in awhile but I do want to start getting back into it.

So, we’ll start with something small.

I read this article the other day about updates coming to Opera in 9.5 and was pleasantly suprised to read that it will support HttpOnly cookies. Now, if you don’t know what that is I’ll give a quick run-down. Normally, cookies are able to be accessed through scripts with things like document.cookie in JavaScript. Along with the normal cookie header, in Set-Cookie you can set it to HttpOnly. This means the cookie cannot normally be read from means other than sending it in an Http Request. This slightly mitigates using XSS to steal credentials as you can no longer read the cookie with JavaScript and send it out, but obviously doesn’t stop phishing via any means. Many sites do use HttpOnly cookies but currently,  only Internet Explorer supports it. If you use a browser that doesn’t support it,  it simply is downgraded to a normal cookie. To be fair, Firefox 3 is planned to have support for it as well but it seems 9.5 will be out before FF3. At any rate, while this won’t stop XSS, it basically eliminates the risk of cookie theft.

Just remember though, cookie theft isn’t the only credentials that can be stolen with XSS or other methods. ‘Dynamic’ phishing methods that don’t rely on a third-party site are still somewhat hard to detect and should be watched out for.

Written by Rodney G

05/10/2007 at 1:37 pm

Posted in Uncategorized

Tagged with , , ,

3 Responses

Subscribe to comments with RSS.

  1. Well.. I don\\\’t agree.. If you look it from the other side


    05/30/2007 at 3:50 pm

  2. XSS: Focus weg van de echte problemen?

    Ga naar een willekeurige site over hoe je veilige websites maakt en XSS krijgt weldra een boel aandacht. XSS is tegenwoordig het AJAX van de websites-beveiliging. En dat terwijl het uiteindelijk een van de minder schadelijke vormen van webhacken is. En…

    RubberDuck Log

    06/2/2007 at 2:25 am

  3. Shame that Opera still leaks HTTPOnly cookies via XMLHTTPRequest.getAllResponseHeaders

    Jim Manico

    12/21/2008 at 6:05 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: