Good news! Safari 4.0 has:

  • Supports read only HttpOnly protection
  • XMLHttpRequest read protection for set-cookie, set-cookie2, and GetAllResponseHeaders!

It does not protect against cookie writing.

Test script here: http://greebo.net/owasp/httponly.php

This is a great improvement! Now all major browsers support HttpOnly in some form.

thanks,
Andrew

Leave a Reply

Your email address will not be published. Required fields are marked *