[Owasp-topten] Comments on Release Candidate

Dave Wichers dave.wichers at aspectsecurity.com
Sat Jan 16 13:49:18 EST 2010

I'll try to fit page #'s on it somehow, but I'm not sure where it will


Regarding HTTPOnly. I don't see any room for it. But what I did do was
add a mention to this topic on the OWASP XSS Prevention Cheat Sheet,
which this article links to.


It's the new section near the bottom: Additional XSS Defense (HTTPOnly
cookie flag). I think that's the best I can do. The HTTPOnly article is
a bit dated. If you have any cycles to do some browser testing and
update the browser support section for HTTPOnly that would be great! I
cc'd Jim Manico since he one of the primary authors of that article and
a strong advocate to various browser vendors to get HTTPOnly support
provided by the browsers.


Thanks for the input!!




From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Mungo
Sent: Friday, January 15, 2010 4:59 AM
To: OWASP-TopTen at lists.owasp.org
Subject: [Owasp-topten] Comments on Release Candidate


I like the revised format a lot! 

How about adding page numbering to the PDF.  It wasn't obvious what
order the pages went in when I took it off the printer. 

Is there room to fit in a mention of HttpOnly under XSS prevention? I
think this should be better known. 



Mungo Carstairs
Senior Systems Developer
Business Solutions
Standard Life Employee Services Limited

Tel:        +44 (0)131 246 2785

This e-mail is confidential and, if you are not the intended recipient,
please return it to us and do not retain or disclose it. We filter and
monitor e-mails in order to protect our system and the integrity,
confidentiality and availability of e-mails. We cannot guarantee that
e-mails are risk free and are not responsible for any related damage or
unauthorised alteration of e-mails by third parties after sending.

For more information on Standard Life group, visit our website

Standard Life plc (SC286832), Standard Life Assurance Limited*
(SC286833) and Standard Life Employee Services Limited (SC271355) are
all registered in Scotland at Standard Life House, 30 Lothian Road,
Edinburgh EH1 2DH. *Authorised and regulated by the Financial Services
Authority. 0131 225 2552. Calls may be recorded/monitored. Standard Life
group includes Standard Life plc and its subsidiaries.

Please consider the environment. Think - before you print.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20100116/09c01036/attachment.html 

More information about the Owasp-topten mailing list