Thursday, July 19, 2007

Firefox gets httpOnly!

I don't usually report on things here, but since no-one else seems to be saying something, I thought I should.

Anyway, Firefox has finally implemented httpOnly cookies, in 2.0.0.5, as you can see from their patch notes, and the following test case: http://kuza55.awardspace.com/httponly.php

Note: If httpOnly cookies is implemented, the alert box should be blank, if it is not implemented you should see an alert which says hidden=value

<?php

header("Set-Cookie: hidden=value; httpOnly");

?>
<html>
<body>
<script>
alert(document.cookie);
</script>
</body>
</html>


So hurrah for the Firefox developers who made this happen, no matter how long it took.

3 comments:

ma1 said...

There's a reason why it's not widely pulicized yet.
Use this bookmarklet on your test page:
javascript:var%20x%20%3D%20new%20XMLHttpRequest%28%29%3Bx.open%28%22GET%22%2Cdocument.location%2Cfalse%29%3Bx.send%28null%29%3Balert%28x.getAllResponseHeaders%28%29%29%3Balert%28x.getResponseHeader%28%22Set-Cookie%22%29%29

Readable:

var x = new XMLHttpRequest();
x.open("GET", document.location, false);
x.send(null);
alert(x.getAllResponseHeaders());
alert(x.getResponseHeader("Set-Cookie"));


This will be fixed soon, but it's been very wise from Moz devs not to boast too much or recommend too much early half-baked features.

kuza55 said...

Ok, that's really surprising, especially considering IE6 was vulnerable to exactly the same issue.

Thanks for pointing it out.

But even if it does have bugs, its still far better than the situation used to be.

Because httpOnly raises the bar for an attack considerably. And while some applications to regenerate (or reset) the session token on every request, its a small case, as opposed to absolutely every app.

Jim Manico said...

FireFox 3.1 will patch this issue. See https://bugzilla.mozilla.org/show_bug.cgi?id=380418