HttpOnly in Safari 4.0 (release)

Good news! Safari 4.0 has:

  • Supports read only HttpOnly protection
  • XMLHttpRequest read protection for set-cookie, set-cookie2, and GetAllResponseHeaders!

It does not protect against cookie writing.

Test script here:

This is a great improvement! Now all major browsers support HttpOnly in some form.


Published by


Just another security geek

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>