Add HttpOnly flag to LiveJournal cookies
Short, concise description of the idea
Add the HttpOnly flag to LiveJournal cookies to help prevent against XSS.
Full description of the idea
The only thing necessary is to set the HttpOnly flag on cookies sent by LiveJournal so that they cannot be accessed through client-side scripting. This makes executing XSS attacks substantially more difficult, and could potentially open the door to permitting third-party JS on LiveJournal pages some time down the road.
Modern browsers (Opera 9+, Firefox 3, IE 6.1+) support the extension, and browsers that don't support it will continue to operate as they did before.
Implementation instructions and more details are available by reading this post.
- The security of LiveJournal users is enhanced
- It's more difficult to execute XSS attacks involving LiveJournal
- I've read through a lot of LJ code and am reasonably confident nothing uses document.cookie, but if it does, implementing this option would break that.
- It is possible to work around the restriction due to browser flaws at the moment, but as browser support improves, it makes sense to have LJ have the security options in advance.