[wp-trac] [WordPress Trac] #7677: WordPress should implement
HttpOnly Cookies to slow down XSS
WordPress Trac
wp-trac at lists.automattic.com
Wed Sep 3 15:06:58 GMT 2008
#7677: WordPress should implement HttpOnly Cookies to slow down XSS
---------------------+------------------------------------------------------
Reporter: _ck_ | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.6.2
Component: General | Version:
Severity: normal | Keywords: cookies
---------------------+------------------------------------------------------
While it's far from perfect and there are complex ways around it, HttpOnly
Cookies are supported now by all major browsers and will prevent many
kinds of XSS attacks.
HttpOnly Cookies simply prevent cookies from being accessed via
javascript's document.cookie so an admin's WP cookie cannot be easily
forwarded to another domain via injected javascript.
I need to do more research but it should be fairly easy to implement.
I'll suggest this for bbPress and BackPress too.
--
Ticket URL: <http://trac.wordpress.org/ticket/7677>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list