[Owasp-topten] Comments on Release Candidate
Dave Wichers
dave.wichers at aspectsecurity.com
Sat Jan 16 13:49:18 EST 2010
I'll try to fit page #'s on it somehow, but I'm not sure where it will
fit.
Regarding HTTPOnly. I don't see any room for it. But what I did do was
add a mention to this topic on the OWASP XSS Prevention Cheat Sheet,
which this article links to.
It's the new section near the bottom: Additional XSS Defense (HTTPOnly
cookie flag). I think that's the best I can do. The HTTPOnly article is
a bit dated. If you have any cycles to do some browser testing and
update the browser support section for HTTPOnly that would be great! I
cc'd Jim Manico since he one of the primary authors of that article and
a strong advocate to various browser vendors to get HTTPOnly support
provided by the browsers.
Thanks for the input!!
-Dave
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Mungo
Carstairs
Sent: Friday, January 15, 2010 4:59 AM
To: OWASP-TopTen at lists.owasp.org
Subject: [Owasp-topten] Comments on Release Candidate
I like the revised format a lot!
How about adding page numbering to the PDF. It wasn't obvious what
order the pages went in when I took it off the printer.
Is there room to fit in a mention of HttpOnly under XSS prevention? I
think this should be better known.
Regards,
Mungo
Mungo Carstairs
Senior Systems Developer
Business Solutions
Standard Life Employee Services Limited
http://www.standardlife.com
Tel: +44 (0)131 246 2785
This e-mail is confidential and, if you are not the intended recipient,
please return it to us and do not retain or disclose it. We filter and
monitor e-mails in order to protect our system and the integrity,
confidentiality and availability of e-mails. We cannot guarantee that
e-mails are risk free and are not responsible for any related damage or
unauthorised alteration of e-mails by third parties after sending.
For more information on Standard Life group, visit our website
http://www.standardlife.com/
Standard Life plc (SC286832), Standard Life Assurance Limited*
(SC286833) and Standard Life Employee Services Limited (SC271355) are
all registered in Scotland at Standard Life House, 30 Lothian Road,
Edinburgh EH1 2DH. *Authorised and regulated by the Financial Services
Authority. 0131 225 2552. Calls may be recorded/monitored. Standard Life
group includes Standard Life plc and its subsidiaries.
Please consider the environment. Think - before you print.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20100116/09c01036/attachment.html
More information about the Owasp-topten
mailing list