oss-sec mailing list archives
Re: Re: Question regarding CVE applicability of missing HttpOnly flag
From: Vladimir '3APA3A' Dubrovin <vlad () securityvulns ru>
Date: Thu, 26 Jun 2014 21:53:01 +0400
At least sharing session with Flash application may require Javascript access to session cookies. It can be worked out in most cases, but it's not so simple as
"just make all session cookies HTTPOnly". Kurt Seifried пишет:
So with widespread XSS in mind, I think it's safe to say that virtually every web site (even sites that care deeply and spend time/money and have bug bounties) have lurking XSS flaws, which if HTTPOnly is not used can result in cookie theft. So in my mind HTTPOnly isn't an option any more, but a requirement, ergo in most situations no HTTPOnly = win a CVE.
Current thread:
- Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 25)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Henri Salo (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Murray McAllister (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Vladimir '3APA3A' Dubrovin (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 25)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Florian Weimer (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 26)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Jamie Strandboge (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 26)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag cve-assign (Jun 27)
- Re: Question regarding CVE applicability of missing HttpOnly flag Vincent Danen (Jun 30)
- Re: Re: Question regarding CVE applicability of missing HttpOnly flag Kurt Seifried (Jun 27)