PHP 5.2 to get HttpOnly!

Ilia has just blogged that HttpOnly is now supported in PHP 5.2.

This prevents the usual sort of basic XSS attacks, like:

Supported browsers:

  • IE 6.0 SP1 and later – prevents reading, but not over-writing (still allows preset CSRF attacks)
  • IE 7.0 – prevents reading and writing – safest
  • Safari 1.3 – not support (update)
  • Opera 8 and later – not supported (update)
  • Mozilla – not supported
  • Firefox – not supported
  • IE 5.x for Mac – will actually fail to render the page. Use browser detection to encourage them to migrate to Safari or Firefox once it supports HttpOnly

There is a potential solution for Firefox’s and Mozilla’s lack of support.

Now all we need is for Firefox, Mozilla, Safari (=WebKit), and Opera to climb aboard!

Update: Chris and I spent some time working out if HttpOnly works on a range of browsers. Sadly, some browsers I thought had support… don’t. Oh well.

Published by vanderaj

Just another security geek

Join the Conversation


Leave a comment

Your email address will not be published. Required fields are marked *