Re: [PHP-DEV] HTTP-Only Patch
Scott, Thanks for the patch, it is now part of the 5.2 tree. Ilia -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] HTTP-Only Patch
IE for Mac isn't part of our test suite here so I never gave it a check, frankly its no longer supported by Microsoft or Apple and has since been superseded by Safari. Yeah save for people with MacOS9. Again, who cares? Just thought a note should go in the manual (just a comment on the cookie page would be enough). End users could do a browser check if they wanted. I think having this will increase the use of it, which would be better for everyone. :) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] HTTP-Only Patch
Seems like a good idea to me. If no one objects I'll apply this patch, thanks Scott. Ilia Alshanetsky -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] HTTP-Only Patch
Scott MacVicar wrote: Hi, After we recently experienced an XSS through what can only be described as IE's shocking attempt at determining the mime type from the data and ignoring what the server sent we decided to look into implementing HTTP-only cookies. We know it's not a solution for preventing XSS, but adding this would complicate the process for those wanting to exploit any discovered problems before they are rectified. HTTP-only is a feature in IE 6 SP1, Opera, Safari and KDE to allow the setting of cookies that will only be sent via HTTP headers and never accessible via client side scripting. Ref: http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp I’ve added the flags for setcookie and setrawcookie. There is also support for the session system as well included. +1 -- Brian Moon - http://dealnews.com/ Its good to be cheap =) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] HTTP-Only Patch
On Mon, August 7, 2006 9:53 am, Scott MacVicar wrote: After we recently experienced an XSS through what can only be described as IE's shocking attempt at determining the mime type from the data and ignoring what the server sent In case anybody finds this in a Google search, I have found that this IE stupidity or ignoring headers can be worked-around at an application level by: A) Forcing the URL to end in the .xyz extension Windows is configured to believe is the given type of document (eg .pdf for PDF) B) Putting the content-type/charset in a META tag within an HTML document [1] [1] This one really only applies to charset -- apparently, Microsoft believes web Designers are smarter than web Developers about content-type... :-v -- Like Music? http://l-i-e.com/artists.htm -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] HTTP-Only Patch
Just a note -- having implemented and deployed this (in userspace, not in php itself) -- setting the http_only flag kills the cookie in IE on the Mac. One would hope no one is using such a thing anymore, but I thought I'd point it out, and I'm definately in favor of the change. Maybe it will get Mozilla to finally implement it (and deal with a coookie file format change -- ooh, biggie). -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] HTTP-Only Patch
Quoting steve [EMAIL PROTECTED]: Just a note -- having implemented and deployed this (in userspace, not in php itself) -- setting the http_only flag kills the cookie in IE on the Mac. One would hope no one is using such a thing anymore, but I thought I'd point it out, and I'm definately in favor of the change. Maybe it will get Mozilla to finally implement it (and deal with a coookie file format change -- ooh, biggie). IE for Mac isn't part of our test suite here so I never gave it a check, frankly its no longer supported by Microsoft or Apple and has since been superseded by Safari. Suitable documentation can be added explaining the problem with IE for Mac though I suspect it has already disappeared through its lack of support for Web 2.0. Our test results showed that Opera, Webkit, Gecko and IE based browsers had no problem with the cookie format sent, those which didn't support HttpOnly simply ignored it (Gecko). The Mozilla feature request is at https://bugzilla.mozilla.org/show_bug.cgi?id=178993 A patch was submitted after sponsorship from Live Journal but since the change wasn't backwards compatible with older versions of the browsers they refused to implement it. Cheers, Scott -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php