This prevents the usual sort of basic XSS attacks, like:
- IE 6.0 SP1 and later – prevents reading, but not over-writing (still allows preset CSRF attacks)
- IE 7.0 – prevents reading and writing – safest
- Safari 1.3 – not support (update)
- Opera 8 and later – not supported (update)
- Mozilla – not supported
- Firefox – not supported
- IE 5.x for Mac – will actually fail to render the page. Use browser detection to encourage them to migrate to Safari or Firefox once it supports HttpOnly
There is a potential solution for Firefox’s and Mozilla’s lack of support.
Now all we need is for Firefox, Mozilla, Safari (=WebKit), and Opera to climb aboard!
Update: Chris and I spent some time working out if HttpOnly works on a range of browsers. Sadly, some browsers I thought had support… don’t. Oh well.