Firefox raises barrier to cross-site scripting attacks

Firefox raises barrier to cross-site scripting attacks

Summary: Mozilla has quietly fitted a new security feature into the latest Firefox update, adding the ability for the browser to prevent cross-site scripting attacks.

TOPICS: Browser, Security

Mozilla has quietly fitted a new security feature into the latest Firefox update, adding the ability for the browser to prevent cross-site scripting attacks.

The change, which was not officially announced, implements httpOnly cookies in Firefox, the most recent refresh of the open-source browser.

Web application security experts are welcoming the move, which had been in the works for a few years.

Robert 'RSnake' Hansen, however, is noting that the new browser remains vulnerable to credential leakage via XMLHTTPRequest.

I saw a few different people mention over the last few days that httpOnly has been added to Firefox Very exciting stuff - as this has long been missing for over two years. There are some major pros and cons when using httpOnly on cookies. The pros are that httpOnly cookies aren’t visible in JavaScript space using document.cookie and that makes XSS much more difficult when using it in context of credential theft. The cons are that it doesn’t work in all browsers and in some browsers, like WebTV and IE5.5 on Mac it can actually cause the page to fail to load. Granted the user base on those browsers is pretty minimal but that may be a show stopper for some people.

The only problem I see with using this as protection against credential theft is that the cookies are still visible using XMLHTTPRequest. If you look at [this example], it looks secure because the cookie is not visible. But if you look at this example you can see that using XMLHTTPRequest you can still get access to the cookie by looking at the headers. This has been one of those long standing problems with httpOnly, but it does raise the barrier by shutting down the most obvious way of getting at the cookies, using document.cookie.

Topics: Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • httponly doesn't prevent XSS

    This doesn't prevent cross-site scripting. It mitigates the damage that can be done if a cross-site scripting vulnerability is exploited. One of the most common actions is to steal cookies to impersonate someone. With httponly cookies that becomes more difficult or impossible. But it doesn't actually do anything to fix the existing cross-site scripting vulnerabilities, and there are plenty of other dangerous things that can happen if a site is vulnerable to XSS besides stealing cookies.

    Also -- it's worth noting that this is one area where IE was well ahead of Firefox. The IE Dev team invented the idea of httpcookies and implemented them in IE some time ago -- that's why everyone talks about how it's good that mozilla's finally catching up.
    • so close ... and yet so far

      Although it just goes to show that billions of dollars thrown at something will eventually yield a good idea (ie, httponly / httpcookies), it is unfortunate that the IE team didn't feel compelled to share it with the Mozilla team before finalization so the whole problem could be addressed not just part of it. NIH: corporate dream or malaise? Any idea why Japanese car manufacturers kicked our butts? Because, at one time, they collaborated in the beginning to get the best bang for the R&D buck before heading home to differentiate the new-found knowledge for their demographic market. Yes, I know: giving more than lip-service to Charles Deming and DIN standards certainly didn't hurt them either. But you get my drift: two heads are better than one sometimes.
  • httpOnly is in IE6 since years!

    httpOnly is in IE6 since years!
  • IE6 has httpOnly since years!

    IE6 has httpOnly since years!
  • IE6 has httpOnly protection since years!

    IE6 has httpOnly protection since years!
    • Yeah... we heard you the FIRST time.

      Hallowed are the Ori
      • Maybe...

        ...he was waiting for one of us to tell him which was the correct way to say it?
        Dr. John
    • no worries

      No worries, mate!

      We got the message ... although I think another fella already mentioned this yesterday.

      @Everyone else: do not bother with further replies as this user is totally anonymous (ie, the mailinator domain is a temp address generator). Wait ... maybe it's Bill Gates incognito!! Coooool.
  • Add no-script to Firefox

    I added the extension NO_SCRIPTD to firefox. Now I decide what scripts run.
  • The example shows nothing in IE7 and Firefox

    Both browsers show nothing, except I get a alert pop-up box with an exclamation mark and that's what it says in the source of the page. So I don't get what this story is about. I upgraded to the latest Firefox a couple of days ago. What would have happened with the previous version?
    Could it be that you need to make a link to a second example for XMLHTTPRequest? That might make things clearer.
  • Update makes Firefox crash often

    Firefox updated itself to version and it has crashed for several times (at least 4 times in the last 24 hours). I hope they can patch this soon

    My config:

    - XP Pro SP2
    - Firefox