On Thu, Nov 07, 2002 at 11:50:03PM -0500, Nick Simicich wrote: > At 10:44 AM 2002-11-05 -0800, Michael Howard wrote: > > >During the Windows Security Push in Feb/Mar 2002, the Microsoft Internet > >Explorer team devised a method to reduce the risk of cookie-stealing > >attacks via XSS vulnerabilities. > Has anyone looked at the impact of simply changing the default: Do not > allow cookies to be accessed from javascript unless they were set from > javascript in the first place, or have a trailing jscript on any cookie > that *should* be returned by document.cookie. > The only thing that breaks is the subset who set a cookie with the > set-cookie header who then want to access the cookie with javascript, and > as others note, that just is not done much. It would break a fair bit of code at my employer's site, things like logout buttons that are displayed if the user appears to be logged in (better to let the client burn those cycles than the server), etc. This will allow us to flag the session-authenticating cookies as HTTP-only while leaving the session-identifying cookies available to scripts. Most importantly, your suggestion would break applications that are safely written. Counter-argument: the IE team's HttpOnly approach can be adopted now, without breaking any existing apps. Maybe it's not as good as the denied-unless-allowed model you suggest, but it's better than the current anything-goes status quo. > >Note, this does _not fix_ XSS bugs in server code; it only helps reduce > >the potential damage from cookie disclosure threats. Nothing more. Think > >of it as a very small insurance policy! And a very welcome one; many thanks to Microsoft for implementing, and the Bugtraq folks for approving the post describing the feature. This mechanism has been suggested as a feature enhancement to the Open Source Mozilla browser; interested parties can read details (and vote if you like the idea) at http://bugzilla.mozilla.org/show_bug.cgi?id=178993 -Peter -- Peter Watkins - peterw@tux.org - peterw@usa.net - http://www.tux.org/~peterw/ Private personal mail: use PGP key F4F397A8; more sensitive data? Use 2D123692
Attachment:
pgp00234.pgp
Description: PGP signature
