Are there any efforts underway to support the HttpOnly cookie directive within any version of the HTTP Protocol? The HttpOnly cookie flag, now supported or soon to be supported by all major browser vendors, is a significant security enhancement for web centric computing. The HttpOnly flag simply prevents JavaScript from reading the details of a cookie. In particular, adding this flag to the HTTP spec as an /optional/ cookie directive will go a long way in assisting in the mitigation of Cross Site Scripting (XSS) and other session hijacking attack vectors. With respect + Best Regards, Jim Manico jim.manico@aspectsecurity.com Application Security Engineer + Web Application ArchitectReceived on Tuesday, 18 March 2008 09:27:07 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:37 GMT