Firefox raises barrier to cross-site scripting attacks

Mozilla has quietly fitted a new security feature into the latest Firefox update, adding the ability for the browser to prevent cross-site scripting attacks.

The change, which was not officially announced, implements httpOnly cookies in Firefox 2.0.0.5, the most recent refresh of the open-source browser.

Web application security experts are welcoming the move, which had been in the works for a few years.

Robert 'RSnake' Hansen, however, is noting that the new browser remains vulnerable to credential leakage via XMLHTTPRequest.

I saw a few different people mention over the last few days that httpOnly has been added to Firefox 2.0.0.5. Very exciting stuff - as this has long been missing for over two years. There are some major pros and cons when using httpOnly on cookies. The pros are that httpOnly cookies aren’t visible in JavaScript space using document.cookie and that makes XSS much more difficult when using it in context of credential theft. The cons are that it doesn’t work in all browsers and in some browsers, like WebTV and IE5.5 on Mac it can actually cause the page to fail to load. Granted the user base on those browsers is pretty minimal but that may be a show stopper for some people.

The only problem I see with using this as protection against credential theft is that the cookies are still visible using XMLHTTPRequest. If you look at [this example], it looks secure because the cookie is not visible. But if you look at this example you can see that using XMLHTTPRequest you can still get access to the cookie by looking at the headers. This has been one of those long standing problems with httpOnly, but it does raise the barrier by shutting down the most obvious way of getting at the cookies, using document.cookie.