The HTTPOnly crusade grows stronger.
I have victories to report on several fronts regarding the adoption of HTTPOnly, to the point of stopping XMLHTTPRequest.getAllResponseHeaders leakage of HTTPOnly cookies.
The latest and greatest browsers and standards address this issue.
First out the gate, is Internet Explorer. My HTTPOnly hat's off to Microsoft for delivering the first browser to implement defense from the HTTPOnly exposure vector described above. http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
However, IE did NOT implement protection from set-cookie2 header exposure!! The horror!
I still declare the HTTPOnly browser war active!
Will FireFox deliver the first browser to truly implement complete HTTPOnly in a way that would make the HTTPOnly working group pleased? Could Opera, Safari or Chrome sneak in with a win?
As I mentioned in an earlier post, some of the recent editorial version of the XHR specification at w3c includes clear verbiage that prevents reading of ALL set-cookie/2 headers via getAllResponseHeaders() and getResponseHeader() in a case insensitive way. Nice!
It's the securing of these core RFC's that help make the applications and browsers of tomorrow more secure. Thanks Anne!
PS: As a HTTPOnly bonus, check out Ryan Barnett's blog post on how to add HTTPOnly protection using ModSecurity.