[owasp-intrinsic-security] IE HTTPOnly Patch
jim.manico at aspectsecurity.com
Fri Nov 14 15:37:40 EST 2008
IE's patch MS08-069
not COMPLETELY stop HTTPOnly cookie exposure.
Robert Hansen was kind enough to add a set-cookie2 test to
http://ha.ckers.org/httponly.cgi today, which indeed IE exposes via
XMLHTTPRequest response headers.
Robert has already brought this to MS's attention.
Look's like FireFox 3.1 or 3.2 will be the first browser to really
implement HTTPOnly completely.
Jim Manico, Senior Application Security Engineer
jim.manico at aspectsecurity.com <mailto:jim.manico at aspectsecurity.com>
(301) 604-4882 (work)
(808) 652-3805 (cell)
Securing your applications at the source
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the owasp-intrinsic-security