Recently I researched cookies a bit and while playing with the cookie related functions in PHP I stumbled upon the HTTPOnly flag.
The purpose of the HTTPOnly flag is to prevent cross-site scripting (XSS) attacks. The idea is, that the browser will use the HTTPOnly-flagged cookie only when doing HTTP requests. It will not, as it normally would, make this cookie available to client side scripting languages (like JavaScript).
The HTTPOnly flag has been introduced by Microsoft as part of Service Pack 1 for Internet Explorer 6, released in September of 2002.
A neat idea, as limiting the possibilities for XSS vulnerabilities can only be good. However, being an extension to the standard, this requires support in both the server and the client. Microsoft did the first step, so how do the other involved parties hold up?
PHP added support for the HTTPOnly cookie in version 5.2, released in November of 2006.
Current releases of Firefox do not support HTTPOnly cookies. Version 3, however, will support HTTPOnly cookies. And Stefan Esser, of Hardened-PHP and suhosin fame, wrote an extension for Firefox 2.0 which supports HTTPOnly cookies.
Opera will support HTTPOnly cookies in version 9.5.
I am not sure whether KHTML or WebKit support HTTPOnly cookies.
Apparently ancient browsers break when asked to process a HTTPOnly cookie. In this day and age this should not be too big a problem however.
It appears, that Microsoft, as unlikely as it may seem, had a pretty decent idea, but the open source community did not respond as one could have hoped.
Is this NIH?
Now, after the LiveJournal incident, which could have been prevented if HTTPOnly cookies were widely supported, an increased effort seems underway to finally get this implemented.
Of course, HTTPOnly cookies do not protect against all types of XSS attacks. Nevertheless, it is another layer of protection for which I am grateful. I was surprised to learn that this was introduced by Microsoft AND that the open source community hasn’t adopted this feature more widely. Microsofts positive impacts on this industry do exist afterall…