Wednesday, February 4, 2009

FireFox 3.0.0.6 HTTPOnly Champion!

FireFox 3.0.0.6 is truly an HTTPOnly champion!

I want to extend sincere congratulations the the entire Mozilla team. For the first time in history, a browser has been released that completely supports the HTTPOnly cookie flag, including protection against leakage of HTTPOnly cookies via XHR response headers.

The JavaScript document.cookie call has been blocked for HTTPOnly cookies since FireFox 2.0.0.6. The problem that delayed true comprehensive HTTPOnly support in FireFox, as described by the bug entry states: "XMLHttpRequest subverts the idea of HTTPOnly cookies since it allows sending a request and reading of Set-Cookie or Set-Cookie2 headers in the response - even if it has HTTPOnly flag set."

IE 7/8 is very close to complete HTTPOnly support. When we test IE 7.0.5730.13 against http://ha.ckers.org/httponly.cgi - the result is set-cookie2 leakage. At least set-cookie is not leaked. (Note that even though IE exposes a set-cookie call below, it was a non-httponly cookie, so the exposure is reasonable.)



But look at the test results of FireFox 3.0.0.6 - ALL SET COOKIE(2) CALLS ARE REMOVED! Even non HTTPOnly cookies are now removed from the XHR request headers!


Sincere congratulations the the entire Mozilla team. I applaud your dedication to web application security excellence!

2 comments:

zjt said...

I guess I can't complain about security fixes, but it broke the JWChat jabber client. :-(

Jim Manico said...

The HTTPOnly changes will break anything that depends on retrieving cookie information from XHR headers (independent of wether HTTPOnly is in use). FireFox's XHR javascript class no longer adds cookie data to XHR.getAllResponseHeaders and similar API's