It is a very interesting idea, but it would take some years to start to take
effect, as non-compatible browsers would still be on the market for a few
years; Can't we find a solution that works on current browsers?
Initially, I thought about encrypting cookie content with a server based
key. But this key should have some browser-derived component, something that
changes from one browser/computer to another; IP is not practical, as the
client can be behind a cluster of proxies. Is there something that the
browser shows only to the server and not for the client-side scripts?
Let´s se if we can improve this idea,
Augusto.
-----Mensagem original-----
De: Florian Weimer [mailto:Weimer (at) CERT.Uni-Stuttgart (dot) DE [email concealed]]
Enviada em: terça-feira, 5 de novembro de 2002 18:39
Para: Michael Howard
Assunto: Re: A technique to mitigate cookie-stealing XSS attacks
"Michael Howard" <mikehow (at) microsoft (dot) com [email concealed]> writes:
> In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
> trailing HttpOnly (case insensitive) it will return an empty string to
> the browser when accessed from script, such as by using document.cookie.
What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?
Is anybody interested in writing an Informational RFC on this topic?
--
Florian Weimer Weimer (at) CERT.Uni-Stuttgart (dot) DE [email concealed]
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
effect, as non-compatible browsers would still be on the market for a few
years; Can't we find a solution that works on current browsers?
Initially, I thought about encrypting cookie content with a server based
key. But this key should have some browser-derived component, something that
changes from one browser/computer to another; IP is not practical, as the
client can be behind a cluster of proxies. Is there something that the
browser shows only to the server and not for the client-side scripts?
Let´s se if we can improve this idea,
Augusto.
-----Mensagem original-----
De: Florian Weimer [mailto:Weimer (at) CERT.Uni-Stuttgart (dot) DE [email concealed]]
Enviada em: terça-feira, 5 de novembro de 2002 18:39
Para: Michael Howard
Assunto: Re: A technique to mitigate cookie-stealing XSS attacks
"Michael Howard" <mikehow (at) microsoft (dot) com [email concealed]> writes:
> In a nutshell, if Internet Explorer 6.0 SP1 detects a cookie that has a
> trailing HttpOnly (case insensitive) it will return an empty string to
> the browser when accessed from script, such as by using document.cookie.
What about HTTP headers which advise user agents to disable some
features, e.g. read/write access to the document or parts of it via
scripting or other Internet Explorer interfaces?
Is anybody interested in writing an Informational RFC on this topic?
--
Florian Weimer Weimer (at) CERT.Uni-Stuttgart (dot) DE [email concealed]
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
[ reply ]