FunBux™ Commissioner (gerg) wrote in suggestions,
FunBux™ Commissioner

Add HttpOnly flag to LiveJournal cookies

Add HttpOnly flag to LiveJournal cookies

Short, concise description of the idea
Add the HttpOnly flag to LiveJournal cookies to help prevent against XSS.

Full description of the idea
The only thing necessary is to set the HttpOnly flag on cookies sent by LiveJournal so that they cannot be accessed through client-side scripting. This makes executing XSS attacks substantially more difficult, and could potentially open the door to permitting third-party JS on LiveJournal pages some time down the road.

Modern browsers (Opera 9+, Firefox 3, IE 6.1+) support the extension, and browsers that don't support it will continue to operate as they did before.

Implementation instructions and more details are available by reading this post.

An ordered list of benefits
  • The security of LiveJournal users is enhanced
  • It's more difficult to execute XSS attacks involving LiveJournal
  • In the future, permitting external JavaScript is easier because it is known that no JavaScript can steal a user's cookies
An ordered list of problems/issues involved
  • I've read through a lot of LJ code and am reasonably confident nothing uses document.cookie, but if it does, implementing this option would break that.
  • It is possible to work around the restriction due to browser flaws at the moment, but as browser support improves, it makes sense to have LJ have the security options in advance.
Tags: cookies, login, security, § no status
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded