Comment 7 for bug 96878
Revision history for this message
| David Wagner (daw-bugzilla) wrote Re: Launchpad session cookie should be hidden from Javascript | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
I wonder if you're aware that HttpOnly adds only very limited protections? If someone can run malicious script on your domain, then in most cases they can do just as much harm with HttpOnly cookies as without; it just requires a more complex attack. So this may "raise the bar" slightly, but doesn't add a lot of security; you're primarily relying upon avoiding XSS bugs in the first place.
Analysis and detailed justification:
http://