Good news! Safari 4.0 has:
- Supports read only HttpOnly protection
- XMLHttpRequest read protection for set-cookie, set-cookie2, and GetAllResponseHeaders!
It does not protect against cookie writing.
Test script here: http://greebo.net/owasp/httponly.php
This is a great improvement! Now all major browsers support HttpOnly in some form.
thanks,
Andrew
Leave a Reply