HttpOnly

What's Good:

When an attacker has already broken your website security, HttpOnly forces them to use the already owned browsers to mount further attacks rather than 3rd party servers

What's Bad:

It breaks double-submit CSRF protection which may break Ajax libraries
It may cause page load failure in Internet Explorer 5.5/Mac and WebTV
HttpOnly cookies may still be vulnerable to XMLHttpResponse attacks, negating the original point
It confuses people into thinking they're protected from XSS when they're not

Posted by Joe Walker 16 Dec 2008

Comments

Comments have been turned off on old posts

The blog is about general web development. (Atom feed)

MozBlog contains Mozilla stuff - i.e stuff for planet (Atom feed).

I'm Joe Walker. I work for Mozilla making developer tools better i.e. creating tomorrow's Firebug.

See also joewalker on Github and @joewalker on Twitter, and 103130341946168853745 on Google+.

GCLI is a web developers command-line that's being used in Firefox Developer Tools, and alongside Ace
DOM Template is an experimental DOM template engine with some nice features like asynchronous layout
CSS Doctor is an experiment into how we can improve the CSS telemetry in a browser
DWR is a Java library that enables Java on the server and JavaScript in a browser to interact and call each other as simply as possible