如何使用 JavaScript 读取 HttpOnly cookie

不同的浏览器 启用不同的浏览器设置 HTTPOnly 标志时的安全措施.例如 Opera 和 Safari 不会阻止 javascript 写入 cookie.但是，在所有主要浏览器的最新版本上始终禁止阅读.

Different Browsers enable different security measures when the HTTPOnly flag is set. For instance Opera and Safari do not prevent javascript from writing to the cookie. However, reading is always forbidden on the latest version of all major browsers.

但更重要的是为什么您想要读取HTTPOnly cookie?如果您是开发人员，只需禁用该标志并确保您针对 xss 测试您的代码.我建议您尽可能避免禁用此标志.HTTPOnly 标志和安全标志"(强制通过 https 发送 cookie)应始终设置.

But more importantly why do you want to read an HTTPOnly cookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The HTTPOnly flag and "secure flag" (which forces the cookie to be sent over https) should always be set.

如果您是攻击者，那么您想劫持会话.尽管有 HTTPOnly 标志，但仍有一种简单的方法可以劫持会话.您仍然可以在不知道会话 ID 的情况下参加会话.MySpace Samy 蠕虫 就是这样做的.它使用 XHR 来阅读 CSRF 令牌，然后执行授权任务.因此，攻击者几乎可以做登录用户可以做的任何事情.

If you are an attacker, then you want to hijack a session. But there is an easy way to hijack a session despite the HTTPOnly flag. You can still ride on the session without knowing the session id. The MySpace Samy worm did just that. It used an XHR to read a CSRF token and then perform an authorized task. Therefore, the attacker could do almost anything that the logged user could do.

人们过于相信 HTTPOnly 标志，XSS 仍然可以被利用.您应该在敏感功能周围设置障碍.如更改密码提交，应要求当前密码.管理员创建新帐户的能力应该需要验证码，即 CSRF使用 XHR 无法轻易绕过的预防技术.

People have too much faith in the HTTPOnly flag, XSS can still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR.