Timeline for Solution to allow JavaScript input but prevent XSS
Current License: CC BY-SA 3.0
4 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 20, 2012 at 2:52 | comment | added | curiousguy | (...) And some websites only allow interaction from the original IP address (a terrible idea IMO). IOW, HTTPOnly prevents attacker from doing something he wouldn't do anyway. So if someone thinks HTTPOnly is the solution to a security problem (any security problem really), the odds that he is wrong is 99:1. | |
| Jun 20, 2012 at 2:50 | comment | added | curiousguy | "HTTPOnly flag does [prevent stealing cookies]" but it doesn't prevent sending them to the original website, and reading resources obtained by sending them to the original site, so HTTPOnly adds very little security (if it adds any security at all). Note that in most cases the security sensitive cookies are opaque values (like a session ID), so that the only possible use of them by an attacker is to send them back to the the original website anyway. | |
| Jun 30, 2011 at 13:15 | history | edited | bretik | CC BY-SA 3.0 | added 4 characters in body |
| Jun 30, 2011 at 7:50 | history | answered | bretik | CC BY-SA 3.0 |