4

When I type in javascript:alert(document.cookie) in the URL bar, I only get to see some cookies which facebook has set for my account.

I think this is because the other cookies are http only.

  • First question: Is this true? Are some Facebook cookies http only, and is that why I am not able to access them through javascript. When I view the cookies, in Web Developer Firefox Add on, I can see so many more cookies. For example: the "xs" cookie is not visible through javascript and only seen through the web developer add on.

  • Second question: How do I access all cookies through javascript, if The Add-On can do it(access all the cookie), why can't javascript do it?

  • Thirdly, if I can't use javascript to access all cookies, how I should I access them?

Sam
  • 7,252
  • 16
  • 46
  • 65
Zer0
  • 2,171
  • 3
  • 17
  • 18
  • Why are you trying to access them? Seeing `session-hijacking` and `security` in your tags makes me mighty suspicious... – Polynomial Nov 19 '11 at 14:39
  • @Rook - Anyone who is responsible about what they teach people. – Polynomial Nov 21 '11 at 08:54
  • @Polynomial better than Jeff Atwood claiming that the http only flag completely and totally stops xss. In fact that is far more damaging than illuminating its (obvious) short falls. – rook Nov 21 '11 at 14:45
  • 1
    @Rook - Sure, but I don't see the relevance to this conversation or question... – Polynomial Nov 21 '11 at 15:18

1 Answers1

3

Different browsers will treat the httponly flag in different ways. It should be very clear that the httponly flag does not prevent XSS attacks. Using javascript you can still "ride" on the victim's session. The MySpace Sammy worm is a good example of this. So you shouldn't need the cookie value, even if you are an attacker.

Firefox add-ons are not subject to the same security limitations as javascript running from the address bar or loaded on the page. For instance the same origin policy doesn't really apply, because it doesn't have an origin. It is useful and secure enough for add-ons to bypass these rules.

rook
  • 66,304
  • 38
  • 162
  • 239