cat slave diary

PHP 5.2 to get HttpOnly!

Written by

Andrew van der Stock

in

,

Ilia has just blogged that HttpOnly is now supported in PHP 5.2.

This prevents the usual sort of basic XSS attacks, like:

Supported browsers:

  • IE 6.0 SP1 and later – prevents reading, but not over-writing (still allows preset CSRF attacks)
  • IE 7.0 – prevents reading and writing – safest
  • Safari 1.3 – not support (update)
  • Opera 8 and later – not supported (update)
  • Mozilla – not supported
  • Firefox – not supported
  • IE 5.x for Mac – will actually fail to render the page. Use browser detection to encourage them to migrate to Safari or Firefox once it supports HttpOnly

There is a potential solution for Firefox’s and Mozilla’s lack of support.

Now all we need is for Firefox, Mozilla, Safari (=WebKit), and Opera to climb aboard!

Update: Chris and I spent some time working out if HttpOnly works on a range of browsers. Sadly, some browsers I thought had support… don’t. Oh well.

Comments

2 responses to “PHP 5.2 to get HttpOnly!”

  1. kL Avatar
    kL

    Opera 9.5 supports it now.

  2. Jim Manico Avatar
    Jim Manico

    any news or resources on browser support of HttpOnly since this post?

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts