For your browser only

Cross-site scripting attacks to steal authentication cookies is one of the biggest security problems plaguing the web today. Jeff Atwood argues that a lot more protection could be offered by the cheap and simple means of setting all cookies to HTTPOnly:

HttpOnly cookies can in fact be remarkably effective. Here’s what we know:

• HttpOnly restricts all access to document.cookie in IE7, Firefox 3, and Opera 9.5 (unsure about Safari)
• HttpOnly removes cookie information from the response headers in XMLHttpObject.getAllResponseHeaders() in IE7. It should do the same thing in Firefox, but it doesn’t, because there’s a bug.
• XMLHttpObjects may only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.

The big security hole, as alluded to above, is that Firefox (and presumably Opera) allow access to the headers through XMLHttpObject. So you could make a trivial JavaScript call back to the local server, get the headers out of the string, and then post that back to an external domain. Not as easy as document.cookie, but hardly a feat of software engineering.

Even with those caveats, I believe HttpOnly cookies are a huge security win. If I — er, I mean, if my friend — had implemented HttpOnly cookies, it would have totally protected his users from the above exploit!

Of course this doesn’t completely protect your app from cross-site attacks and it does nothing to protect against good old fashion packet sniffing, but it is still a good suggestion.