tag:blogger.com,1999:blog-23714519.post1253716641868316663..comments2023-10-18T02:14:08.061+11:00Comments on Alex's Corner: Firefox gets httpOnly!kuza55http://www.blogger.com/profile/03932544559060480887noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-23714519.post-89128826413624214042008-09-25T13:37:00.000+10:002008-09-25T13:37:00.000+10:00FireFox 3.1 will patch this issue. See https://bug...FireFox 3.1 will patch this issue. See https://bugzilla.mozilla.org/show_bug.cgi?id=380418Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-23714519.post-79039920938412265962007-07-19T20:27:00.000+10:002007-07-19T20:27:00.000+10:00Ok, that's really surprising, especially consideri...Ok, that's really surprising, especially considering IE6 was vulnerable to exactly the same issue.<BR/><BR/>Thanks for pointing it out.<BR/><BR/>But even if it does have bugs, its still far better than the situation used to be.<BR/><BR/>Because httpOnly raises the bar for an attack considerably. And while some applications to regenerate (or reset) the session token on every request, its a small case, as opposed to absolutely every app.kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-23714519.post-79251720795535503672007-07-19T20:22:00.000+10:002007-07-19T20:22:00.000+10:00There's a reason why it's not widely pulicized yet...There's a reason why it's not widely pulicized yet.<BR/>Use this bookmarklet on your test page:<BR/> javascript:var%20x%20%3D%20new%20XMLHttpRequest%28%29%3Bx.open%28%22GET%22%2Cdocument.location%2Cfalse%29%3Bx.send%28null%29%3Balert%28x.getAllResponseHeaders%28%29%29%3Balert%28x.getResponseHeader%28%22Set-Cookie%22%29%29<BR/><BR/>Readable:<BR/><BR/>var x = new XMLHttpRequest();<BR/>x.open("GET", document.location, false);<BR/>x.send(null);<BR/>alert(x.getAllResponseHeaders());<BR/>alert(x.getResponseHeader("Set-Cookie")); <BR/><BR/><BR/>This will be fixed soon, but it's been very wise from Moz devs not to boast too much or recommend too much early half-baked features.Anonymousnoreply@blogger.com