What's Good:

  • When an attacker has already broken your website security, HttpOnly forces them to use the already owned browsers to mount further attacks rather than 3rd party servers

What's Bad:

  • It breaks double-submit CSRF protection which may break Ajax libraries
  • It may cause page load failure in Internet Explorer 5.5/Mac and WebTV
  • HttpOnly cookies may still be vulnerable to XMLHttpResponse attacks, negating the original point
  • It confuses people into thinking they're protected from XSS when they're not


Comments have been turned off on old posts