[HTTPS-Everywhere] Flagging cookies as secure
https-everywhere at lists.grepular.com
https-everywhere at lists.grepular.com
Thu Nov 11 08:19:39 PST 2010
On 11/11/2010 16:02, Daniel Kahn Gillmor wrote:
>> <img src="http://the.site.which.is.supposedly.always.https/">
>>
>> Then they'll cause your browser to send the cookie over HTTP. Even for
>> sites which appear to be fully https, I still think it's a good idea to
>> add the secure flag to their cookies.
>
> i think peter was suggesting that if the user is running
> https-everywhere and the rule for the domain has no exceptions then even
> such an img inclusion scenario will cause the browser to connect back
> over HTTPS, foiling the attack. That's why the extension exists ;)
Oops, my error! Of course, that's the case.
>> I also think it would be nice if we could add HttpOnly flags to cookies
>> from the https-everywhere rulesets in a similar manner to the secure
>> flag. Not sure if this would be considered out of scope though?
>
> httponly is the "do not use this cookie in javascript" flag, right?
That's the one, yeah.
> that might cause breakage on some sites that actually do cookie
> manipulation in javascript.
I don't think that most sites manipulate cookies using JS, but I could
be wrong. On the sites where it breaks, we simply wouldn't add the
HttpOnly flag.
--
Mike Cardwell https://secure.grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101111/a05df1bc/attachment.sig>
More information about the HTTPS-everywhere
mailing list