views:

818

answers:

3

Which browsers do support HttpOnly cookies, and since which version?

Please see http://www.codinghorror.com/blog/archives/001167.html for a discussion of HttpOnly cookies and XSS-prevention.

A: 

All major browsers support HttpOnly.

  • Microsoft IE 5.0+
  • Mozilla Firefox 1.0+
  • Google Chrome
  • Apple Safari
  • Opera 8.0+
Nick Berardi
I don't think that's true--can you provide references?
Michael Haren
I've seen reports that "IE6 SP1" and "Firefox 2.0.0.5" "now support HttpOnly cookies", which leads me to believe that at least IE5 and Firefox 1 *dont* support it.
Joachim Sauer
+3  A: 

Feel free to add to this list:

  • Internet Explorer since 6 sp1 (source, source)
  • Firefox since 2.0.0.5 (source)
  • Opera since 9.5 (possibly earlier) (source)

Safari and Chrome may not have support yet--but it should be coming soon if it's not there already. Please edit this answer if you find a more recent reference!

Michael Haren
Thanks! Found this list which adds some info: http://www.owasp.org/index.php/HTTPOnly#Browsers_Supporting_HTTPOnly
knorv
+1  A: 

OWASP have this documented. See http://www.owasp.org/index.php/HttpOnly

Ian