Home > Backend Development > PHP Tutorial > Since HttpOnly can prevent XSS from stealing cookies, why is it not widely used?

Since HttpOnly can prevent XSS from stealing cookies, why is it not widely used?

WBOY
Release: 2016-08-10 08:50:40
Original
1568 people have browsed it

Reply content:

http-only can prevent cookies from being stolen, but it is not a panacea. Convenience and security always run counter to each other. In terms of development, unless the overall architecture is deployed with httponly at the beginning, the later maintenance costs will be relatively low. Otherwise, in the later stages, it will generally be relatively difficult to deploy httponly. Mainly reflected in: when the business line is very long, deploying httponly is equivalent to affecting the whole body.
Take Tencent as an example: you will find a piece of code in it:
document.domain="qq.com";
that is, different second-level domain names*.qq.com and even higher-level domain names can synchronize user information such as cookies.
This brings about an improvement in user experience, but it also foreshadows security issues.
What can a second-level domain name xss from Tencent do? You can watch this video from pkav:
Since HttpOnly can prevent XSS from stealing cookies, why is it not widely used? Is the Internet really safe? http://v.qq.com/boke/play/t/v/m/t1063qxrovm.html?_out=102 Well, so much has been said above, let’s summarize:
1 , Whether httponly is popularized [widely used] depends on the scenario. Talking about httponly without the scenario is to be a hooligan.
2. httponly is not a panacea. Apache's cve-2012-0053 can break through httponly.
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template