[HTTPS-Everywhere] Flagging cookies as secure
Chris Palmer
chris at eff.org
Thu Nov 11 09:44:40 PST 2010
On Nov 11, 2010, at 1:40 AM, https-everywhere at lists.grepular.com wrote:
> <img src="http://the.site.which.is.supposedly.always.https/">
Right. And if the attacker is trying to snarf cookies for users of a server that doesn't even listen on port 80, they could still do
<img src="http://foo.example.com:443/goat" />
The client will get an error, presumably, but it'd be too late --- cookie already sent. :)
Anyway, now we're just splitting hairs for the fun of it. Hey, it's not my fault that is so fun. Everybody agrees that the Secure flag is necessary.
As for HttpOnly, it could break sites that do manipulate cookies from JavaScript. It's not super common, but I have seen it. Given that HttpOnly is not a true defense, and given that we don't need an even greater site- and rule-testing workload, I suggest we punt on that for now. On the other hand, I'm just a bystander, so do whatever you like. :)
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
More information about the HTTPS-everywhere
mailing list