6 Matching Annotations
  1. Oct 2021
  2. github.com github.com
    serverFetch not getting called for relative urls · Issue #1823 · sveltejs/kit
    2
    1. TylerRick 25 Oct 2021
      With httponly you only prevent to read the cookie with js, but its still possible to make requests in the name of the user.
      cookies: HttpOnly
    2. TylerRick 25 Oct 2021
      They are on client-side, but (usually) they are HTTPOnly. Now if they are part of session, any client-side script is able to access them, and I just don't like introducing vulnerabilities knowingly. As I said above, I found a workaround that works for me and you may have different opinion from me on how much this is a risk.
      cookies: HttpOnly
    Visit annotations in context

    Tags

    Annotators

    URL

    github.com/sveltejs/kit/issues/1823
  3. Jun 2021
  4. disqus.com disqus.com
    Disqus Comments
    2
    1. TylerRick 10 Jun 2021
      In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
      cookies: HttpOnly mitigation security: cross-site scripting (XSS) vulnerability CSRF localStorage trade-offs
    2. TylerRick 10 Jun 2021
      I started off really wanting to use HttpOnly cookies
      cookies: HttpOnly
    Visit annotations in context

    Tags

    Annotators

    URL

    disqus.com/embed/comments/
  5. May 2021
  6. owasp.org owasp.org
    HttpOnly - Set-Cookie HTTP response header | OWASP
    2
    1. TylerRick 27 May 2021
      the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
      security: cross-site scripting (XSS) vulnerability cookies: HttpOnly mitigation
    2. TylerRick 27 May 2021
      cookies: HttpOnly
    Visit annotations in context

    Tags

    Annotators

    URL

    owasp.org/www-community/HttpOnly