Which browsers do support HttpOnly cookies, and since which version?
Please see http://www.codinghorror.com/blog/archives/001167.html for a discussion of HttpOnly cookies and XSS-prevention.
A:
All major browsers support HttpOnly.
- Microsoft IE 5.0+
- Mozilla Firefox 1.0+
- Google Chrome
- Apple Safari
- Opera 8.0+
Nick Berardi
2009-02-09 14:49:09
I don't think that's true--can you provide references?
Michael Haren
2009-02-09 14:50:16
I've seen reports that "IE6 SP1" and "Firefox 2.0.0.5" "now support HttpOnly cookies", which leads me to believe that at least IE5 and Firefox 1 *dont* support it.
Joachim Sauer
2009-02-09 14:52:17
+3
A:
Feel free to add to this list:
- Internet Explorer since 6 sp1 (source, source)
- Firefox since 2.0.0.5 (source)
- Opera since 9.5 (possibly earlier) (source)
Safari and Chrome may not have support yet--but it should be coming soon if it's not there already. Please edit this answer if you find a more recent reference!
Michael Haren
2009-02-09 14:49:54
Thanks! Found this list which adds some info: http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly
knorv
2009-02-09 22:11:31
+1
A:
OWASP have this documented. See http://www.owasp.org/index.php/HttpOnly
Ian
2010-07-29 07:43:04