[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: A technique to mitigate cookie-stealing XSS attacks
"Michael Howard" <mikehow@xxxxxxxxxxxxx> writes:
> In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
> trailing HttpOnly (case insensitive) it will return an empty string to
> the browser when accessed from script, such as by using document.cookie.
What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?
Is anybody interested in writing an Informational RFC on this topic?
Florian Weimer Weimer@xxxxxxxxxxxxxxxxxxxxx
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898