This seems the wrong way round to me. After all, how often do you access cookies from client side code? Personally, I've never done it. I would have IE disallow all access to cookies from scripts, unless either, it's disabled in security options (Allow scripts to access cookies) or the server passes an extension to the browser. ; Scriptable; That way you don't have to change code for your web applications, unless you need scripts on your site to have access to cookies. You can make your browser instantly a lot safer against XSS attacks on all sites you go to, rather than relying on the coder to set this flag. If you could rely on the programmer to get it right, you wouldn't have to worry about XSS attacks anyway would you? >>> "Michael Howard" <mikehow@microsoft.com> 05/11/02 18:44:24 >>> During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet Explorer team devised a method to reduce the risk of cookie-stealing attacks via XSS vulnerabilities. In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a trailing HttpOnly (case insensitive) it will return an empty string to the browser when accessed from script, such as by using document.cookie. Obviously, the server must add this option to all outgoing cookies. Note, this does _not fix_ XSS bugs in server code; it only helps reduce the potential damage from cookie disclosure threats. Nothing more. Think of it as a very small insurance policy! A full write-up outlining the HttpOnly flag, as well as source code to set this option, is at http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp. Cheers, Michael Howard Secure Windows Initiative Microsoft Corp. Writing Secure Code http://www.microsoft.com/mspress/books/5612.asp **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk ****************************************************************************************
