Bugtraq mailing list archives

Re: A technique to mitigate cookie-stealing XSS attacks

From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Tue, 05 Nov 2002 22:38:32 +0100

"Michael Howard" <mikehow () microsoft com> writes:

In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
trailing HttpOnly (case insensitive) it will return an empty string to
the browser when accessed from script, such as by using document.cookie.


What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?

Is anybody interested in writing an Informational RFC on this topic?

-- 
Florian Weimer                    Weimer () CERT Uni-Stuttgart DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

Current thread:

A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)
  - Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
    - Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
  - Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
  - Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
    - RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
    - Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- <Possible follow-ups>
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
  - Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)

(Thread continues...)