cat slave diary

mostly useless crap from me

PHP 5.2 to get HttpOnly!

with 2 comments

Ilia has just blogged that HttpOnly is now supported in PHP 5.2.

This prevents the usual sort of basic XSS attacks, like:

Supported browsers:

  • IE 6.0 SP1 and later - prevents reading, but not over-writing (still allows preset CSRF attacks)
  • IE 7.0 - prevents reading and writing - safest
  • Safari 1.3 - not support (update)
  • Opera 8 and later - not supported (update)
  • Mozilla - not supported
  • Firefox - not supported
  • IE 5.x for Mac - will actually fail to render the page. Use browser detection to encourage them to migrate to Safari or Firefox once it supports HttpOnly

There is a potential solution for Firefox’s and Mozilla’s lack of support.

Now all we need is for Firefox, Mozilla, Safari (=WebKit), and Opera to climb aboard!

Update: Chris and I spent some time working out if HttpOnly works on a range of browsers. Sadly, some browsers I thought had support… don’t. Oh well.

Written by vanderaj

August 11th, 2006 at 9:17 am

Posted in PHP, Security

« James Van Allen dies at 91
Ajax Security »

2 Responses to 'PHP 5.2 to get HttpOnly!'

Subscribe to comments with RSS or TrackBack to 'PHP 5.2 to get HttpOnly!'.

  1. Opera 9.5 supports it now.

    kL

    27 Nov 07 at 7:17 pm

  2. any news or resources on browser support of HttpOnly since this post?

    Jim Manico

    22 Mar 08 at 4:16 pm

Leave a Reply