Firefox HTTPOnly Implementation In JavaScript
I found a clever paper by Stefano Di Paola written back in July about how to implement HTTPOnly in JavaScript for Firefox. This is a pretty clever solution to Firefox’s aggravatingly slow adoption of Microsoft’s proprietary standard to protect cookies from theft by JavaScript.
To paraphrase there is a function to overwrite the cookie prototype in Firefox (sounding like a dangerous idea if you ask me but there you have it). Click here to see a demonstration. This could be a better solution than Stefan Esser’s HTTPOnly Firefox extention since very few people use that.
Gerv also mentioned the technique on his site as well (Gerv works for Mozilla). Cool technique in a pinch but I’d MUCH rather see someone just fix Firefox. Yes HTTPOnly suffers from other issues including breaking things like WebTV (yes there are still WebTV users out there). But I’d rather break a few very non-standard users and upgrade the entire Internet in the process (either that or whitelist their browsers in your webserver to omit the HTTPOnly tag).
December 19th, 2006 at 6:01 pm
uh.. so what’s to stop an XSS exploit from rewriting the prototype back to normal, then stealing them..
trying to stop javascript with javascript by overwriting javascript when that can be overwritten in return.. seems rather counter-productive. -.-
but i left my Jump to Conclusions mat at home
.. so maybe i’m way off.
December 19th, 2006 at 6:09 pm
Well after doing a little research it turns out you’re right:
http://blog.mattmecham.com/archives/2006/09/
If you add this line to your JavaScript:
delete HTMLDocument.prototype.cookie;
It removes the prototype and voila. His solution to fixing it is pretty complex and gives me the willies when I look at the code. Maybe this isn’t such a good avenue after all.
December 19th, 2006 at 6:22 pm
It’s funny, when reading the bug on HTTPOnly https://bugzilla.mozilla.org/show_bug.cgi?id=178993#c64
it ends with a comment from Gerv discussing content restrictions, which although many people may not know came directly from me in a very long email thread between Rafael Ebron and I and he eventually passed it out to the Mozilla team when Gerv picked it up. I was trying to find a way to secure a very very large website by making the page define the security restrictions and the policy on the page since iframes aren’t cutting it. Iframes aren’t capable of knowing how big the content inside of it is supposed to be, making it a horrible aesthetic experience if you want to get rid of multiple scroll bars (which confuse most users). I also asked Gerv to modify the iframe (which eventually we realized would cause security risks accross domains by allowing other domains to see the size of the page which may give you clues about the state of the user who is visiting it). You can see my email to him about this here: http://weblogs.mozillazine.org/gerv/archives/007610.html
This is totally spiraling out of control. Where are the W3C’s, the WHATWG’s or the IEEE’s of the world? Who is actually setting the application strategy for these major browsers? I sure as hell hope it isn’t just me!
December 20th, 2006 at 4:02 am
matt’s solution is also easy to circumvent, just obfuscate the delete-statement a littlebit, like this, for example:
delete HTMLDocument[’prot’/* oot oto toto */+’otype’][’co’/* ook okok ko */+’okie’];