Cross site scripting (aka XSS) is one of the most prevalent web application security issue. In OWASP top 10 for 2010, cross site featured prominently in number 2.
Considering the damage that a successful cross site scripting attack is capable of doing, almost all the successful commercial browsers have tried to provide security features that makes it difficult to execute a successful cross site scripting attack. One of the main ways this attack is carried out is by exploiting the browser’s capability for executing scripts.
Starting Internet Explorer 6 SP1, a new attribute is introduced to the cookies to counter the menace of XSS.
This attribute makes the cookie inaccessible to the scripts, thus stopping malicious script code from executing. The cookies with this attribute set are called HTTP only cookie.
A cookie is set on the client with an HTTP response header.
Set-Cookie: =[; =]
[; expires=][; domain=]
[; path=][; secure][; HttpOnly]
The HttpOnly attribute is not case sensitive and it is important to be noted that this feature must be used in coordination with other XSS mitigation to effectively counter XSS, like:
1. Proper input validation.
2. Adequate output encoding whenever any possible user controlled values are rendered back to the browser.