Jim asked a great question – what is the current state of the nation for HttpOnly? I’m glad he asked!
Pass – read/write cookie protection
- IE 7.0
- Firefox >= 18.104.22.168
- Firefox 3.0 beta
- Camino 1.5.4
Barely Pass – read only cookie protection
- IE 6.0
- Opera 9.50 beta
Fail – no cookie protection
- Safari 3.1
- Firefox < 22.214.171.124
- Opera 9.2.6 (currently shipping stable version)
Coverage of HttpOnly Support
According to my Google Analytics account, 93.6% of browsers support HttpOnly for preventing being read. The worst offender is Apple, with a marketshare of 5.3% on my heavily trafficked site. They have no support whatsoever. In fact, they’ve had a bug outstanding for some time that no one is assigned. BAD APPLE!