[Security] Firefox now supports HttpOnly cookies, but...

August 2, 2007 - 12:24 UTC - Tags: HttpOnly cookie security firefox The new version of Firefox supports HttpOnly cookies. Unfortunately though, as Rsnake has written about here, the implementation has a vulnerability. Call getAllResponseHeaders() on an XMLHttpRequest object reveals the cookie.

Permalink |

Comments closed for this post

About Erlend

Security guy with some thoughts on secure development.

Follow me on twitter

Tag cloud

.net, .netspec, adam, ad lds, ajax, asp.net, authentication, authorization, axis, bdd, certificates, conference, cookie, craftsman, crossdomain, cross site scripting, cryptography, csp, csrf, css, escaping, firefox, flash, flex, httponly, input validation, javascript, jquery, jsonp, nosql, nosql-injection, output escaping, owasp, password, phishing, ql-injection, rails, retirejs, rfi, security, silverlight, spam, speaker, sql-injection, sql injection, ssl, talk, tdd, testing, unit testing, web services, wse, wss4j, x509, xml, xsrf, xss