[wp-trac] Re: [WordPress Trac] #7677: WordPress should implement HttpOnly Cookies to slow down XSS

WordPress Trac wp-trac at lists.automattic.com
Wed Sep 3 16:41:47 GMT 2008


#7677: WordPress should implement HttpOnly Cookies to slow down XSS
---------------------------------+------------------------------------------
 Reporter:  _ck_                 |        Owner:  anonymous
     Type:  defect               |       Status:  new      
 Priority:  high                 |    Milestone:  2.7      
Component:  Security             |      Version:           
 Severity:  major                |   Resolution:           
 Keywords:  cookies needs-patch  |  
---------------------------------+------------------------------------------
Comment (by _ck_):

 I should point out the only currently known way to hack around `HttpOnly`
 is to trick the user to pass through a proxy to capture the cookie header
 directly from the server (in which case the user has a much bigger problem
 than just their wordpress login). So this is a really helpful lockdown.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7677#comment:6>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list