Simon Willison’s Weblog

Coding Horror: Protecting Your Cookies: HttpOnly. Jeff Atwood discovers the hard way that writing an HTML sanitizer is significantly harder than you would think. HttpOnly cookies aren’t the solution though: they’re potentially useful as part of a defense in depth strategy, but fundamentally if you have an XSS hole you’re going to get 0wned, HttpOnly cookies or not. Auto-escape everything on output and be extremely cautious with things like HTML sanitizers.

# 29th August 2008, 2:01 am / html, sanitization, jeff-atwood, security, httponly, xss, javascript

HTTPOnly cookie support in Firefox. Five years after the bug was filed, HTTPOnly cookie support has gone in to the Mozilla 1.8 branch. This is a defence in depth feature that has been in IE for years—it lets you set cookies that aren’t available to JavaScript, and hence can’t be hijacked in the event of an XSS flaw.

# 6th September 2007, 6:27 am / httponly, brad-fitzpatrick, firefox, security, ie, mozilla, javascript

Mozilla Gran Paradiso Alpha 3 Release Notes. New features include animated PNGs, <link rel="offline-resource"> and the HttpOnly cookie flag which indicates that a cookie should not be accessible to script (borrowed from IE).

# 25th March 2007, 9:37 pm / mozilla, granparadiso, httponly, offlinebrowsing