[owasp-intrinsic-security] HTTPOnly cookie flag

Bil Corry bil at corry.biz
Mon Nov 10 14:48:00 EST 2008


Jim Manico wrote on 11/10/2008 12:56 PM: 
> http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-03.txt
> does not mention HttpOnly at all - perhaps that would be a great place
> to start in your conversations with Y.

The issue is there isn't a published spec on HTTPOnly (at least none that I can find).  Maybe Microsoft has one, but otherwise, I'm assuming each browser vendor has been winging it.  So first step would be to create a spec for HTTPOnly and either work with Yngve to roll it into his existing draft, or create a separate draft just for HTTPOnly.


> As a side note, one thing I see the FireFox team doing to offer complete
> HttpOnly support is to prevent XHR access both to set-cookie and
> set-cookie2. Seems like FireFox is about to be the first browser out the
> gate to truly offer complete HttpOnly support.

In talking with Yngve, it occurred to me that XHR and access to headers might be better handled by the draft that Anne is working on:

	XMLHttpRequest Level 2
	http://www.w3.org/TR/XMLHttpRequest2/


So for setting outbound cookie headers, Anne's draft already specifies that it's prohibited: 

-----
For security reasons, these steps should be terminated if the header argument case-insensitively matches one of the following headers:
    ...
    * Cookie
    * Cookie2
    ...

http://www.w3.org/TR/XMLHttpRequest2/#setrequestheader
-----

What I'm not clear on is if that restriction is for all XHR requests, or just XS-XHR requests.  If only XS-XHR requests, then the original XHR spec needs to be updated:

	http://www.w3.org/TR/XMLHttpRequest/#setrequestheader


For reading cookie headers, XS-XHR has a filtering mechanism:

-----
Note: The Access Control for Cross-Site Requests specification filters the headers that are exposed by getAllResponseHeaders()
Note: The Access Control for Cross-Site Requests specification filters the headers that are exposed by getResponseHeader()

http://www.w3.org/TR/XMLHttpRequest2/#getallresponseheaders
http://www.w3.org/TR/XMLHttpRequest2/#getresponseheader
-----

But I think it should just outright prevent reading any cookie header for any cookie that is HTTPOnly.  Or less ideal but better than nothing, the filtering mechanism should be extended to plain XHR as well.



- Bil



More information about the owasp-intrinsic-security mailing list