Jeremy Henty wrote:
Dillo won't let me login to Wikipedia! Of course this may be a *good* thing. :-) After making the MSG a little more verbose (patch attached) it reports that it is rejecting the HttpOnly attribute (log attached). I *think* this attribute is a security feature to avoid hacks that trick your browser into relaying cookie info from an http connection to an https connection. What should dillo do here?
The HttpOnly flag indicates that the cookie should only be passed via HTTP requests and not accessible by client-side scripts. The idea is to make cross-site scripting attacks harder by preventing an injected script from accessing a site's authentication tokens or other data stored in cookies. So long as Dillo doesn't have client-side scripting, the attribute can just be ignored. More info: http://msdn.microsoft.com/en-us/library/ms533046.aspx http://www.owasp.org/index.php/HTTPOnly The second link includes a table of current support in various browsers. -- Kelson Vibber Hyperborea.org - SpeedForce.org - AlternativeBrowserAlliance.com