Bugtraq mailing list archives
Re: A technique to mitigate cookie-stealing XSS attacks
From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Tue, 05 Nov 2002 22:38:32 +0100
"Michael Howard" <mikehow () microsoft com> writes:
In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a trailing HttpOnly (case insensitive) it will return an empty string to the browser when accessed from script, such as by using document.cookie.
What about HTTP headers which advise user agents to disable some features, e.g. read/write access to the document or parts of it via scripting or other Internet Explorer interfaces? Is anybody interested in writing an Informational RFC on this topic? -- Florian Weimer Weimer () CERT Uni-Stuttgart DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
Current thread:
- A technique to mitigate cookie-stealing XSS attacks Michael Howard (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks David Wagner (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Valdis . Kletnieks (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Justin King (Nov 09)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- RE: A technique to mitigate cookie-stealing XSS attacks jasonk (Nov 12)
- Re: A technique to mitigate cookie-stealing XSS attacks Seth Arnold (Nov 14)
- Re: A technique to mitigate cookie-stealing XSS attacks Ulf Harnhammar (Nov 11)
- <Possible follow-ups>
- Re: A technique to mitigate cookie-stealing XSS attacks Matthew Collins (Nov 07)
- Re: A technique to mitigate cookie-stealing XSS attacks Nick Simicich (Nov 08)
- Re: A technique to mitigate cookie-stealing XSS attacks Peter Watkins (Nov 08)
(Thread continues...)
- Re: A technique to mitigate cookie-stealing XSS attacks Florian Weimer (Nov 05)