[HTTPS-Everywhere] Flagging cookies as secure
Peter Eckersley
pde at eff.org
Wed Nov 10 16:41:30 PST 2010
The current git version of HTTPS Everywhere, and future releases, offer the
ability to flag certain cookies as secure. This means they will never be
transmitted over HTTP. For sites with complete HTTPS support, this is a moot
point because there are no HTTP requests. Unfortuantely some sites -- like
Facebook and Twitter -- still don't support HTTPS for everything, and this
should help a bit in protecting those sites. It can protect against
Firesheep-type attaks, but it often won't protect against JavaScript
injection.
An example of the ruleset syntax for forcing the secure flag to on can be
found here:
https://gitweb.torproject.org/https-everywhere.git/blob/43b153644faaab731f60226a8d4a70be4fd1eac0:/src/chrome/content/rules/Facebook.xml
Note that the "host" and "name" attributes of a <securecookie> element are
both regular expressions.
Currently, HTTPS Everywhere only sets the secure flag on these cookies if they
are set over HTTPS. If anyone thinks we should also do this if the cookies
happen to be set over HTTP, let's talk about it.
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list