undefined | Better HN

0 pointsmichaelt8mo ago0 comments

> This was solved a long time ago by marking such cookies as "HTTP only"

That stops the attacker from exfiltrating your cookies with their evil JavaScript - but they can still have their script make http requests, and they’ll be made with your cookies.

Or they can throw up a fake login page, which will fool plenty of users because it’s on the right URL, and do what they like with your inputs. Lots of attack options.

0 comments

blincoln8mo ago

This is true, but additionally, the HttpOnly flag is now mostly a relic, because so much web app logic runs in JS in the browser and makes API calls. That code generally needs access to tbe cookies, or something equivalent, like a bearer token.

j / k navigate · click thread line to collapse

0 pointsmichaelt8mo ago0 comments

> This was solved a long time ago by marking such cookies as "HTTP only"

That stops the attacker from exfiltrating your cookies with their evil JavaScript - but they can still have their script make http requests, and they’ll be made with your cookies.

Or they can throw up a fake login page, which will fool plenty of users because it’s on the right URL, and do what they like with your inputs. Lots of attack options.

0 comments

blincoln8mo ago

j / k navigate · click thread line to collapse