[WEB SECURITY] HttpOnly and Firefox

Stefano Di Paola stefano.dipaola at wisec.it
Mon Jul 31 11:39:11 EDT 2006


Il giorno ven, 28-07-2006 alle 23:42 +0100, Gervase Markham ha scritto:
> Stefano Di Paola wrote:
> > Hi all,
> > I wrote some toughts on how to implement  httponly cookies 
> > methodology using Js on Mozilla firefox.
> > 
> > http://www.wisec.it/sectou.php?lang=en
> 
> Sadly, cunning though this is, it won't work. I initially thought it
> would, but then one of our security guys set me straight. See the
> comments here:
> http://weblogs.mozillazine.org/gerv/archives/2006/07/httponly_for_firefox.html
> 
> Gerv
Ouch! :)
I tested it and that's (unfortunately) true!
Thanks for testing it and for your reply.

I'll update my writes...
But as I would explain what's the matter, i would like to go into 
some technical detail, and IMHO i think it could interest all WASC
people (if Mr. moderator is agree...:).

It seems to me (correct me if i'm wrong) that the problem lies in how an
iframe with "data:" src attribute inherits DOM attributes from parent
document.
Infact by applying "same source" rule, DOM values are inherited by the
iframe and copied  to IFrameHTMLElement.contentDocument.
But as the document.cookie !=   IFrameHTMLElement.contentDocument.cookie
it doesn't inherits Getter  definition on cookie from ownerDocument.

Is it that way?



Stefano

-- 

......---oOOo--------oOOo---......
Stefano Di Paola
Software Engineer
Email: stefano.dipaola_at_wisec.it
Email: stefano.dipaola1_at_tin.it
Web: www.wisec.it
..................................


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list