It is a very interesting idea, but it would take some years to start to take effect, as non-compatible browsers would still be on the market for a few years; Can't we find a solution that works on current browsers? Initially, I thought about encrypting cookie content with a server based key. But this key should have some browser-derived component, something that changes from one browser/computer to another; IP is not practical, as the client can be behind a cluster of proxies. Is there something that the browser shows only to the server and not for the client-side scripts? Let´s se if we can improve this idea, Augusto. -----Mensagem original----- De: Florian Weimer [mailto:Weimer@CERT.Uni-Stuttgart.DE] Enviada em: terça-feira, 5 de novembro de 2002 18:39 Para: Michael Howard Assunto: Re: A technique to mitigate cookie-stealing XSS attacks "Michael Howard" <mikehow@microsoft.com> writes: > In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a > trailing HttpOnly (case insensitive) it will return an empty string to > the browser when accessed from script, such as by using document.cookie. What about HTTP headers which advise user agents to disable some features, e.g. read/write access to the document or parts of it via scripting or other Internet Explorer interfaces? Is anybody interested in writing an Informational RFC on this topic? -- Florian Weimer Weimer@CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
