Reputation: 3003
How do HttpOnly cookies work with Javascript and authentication proxies?
I have a web application behind an OIDC reverse proxy -- in other words, when I visit this application I am redirected to my identity provider, I log in and my browser sets a cookie which is used on subsequent requests to prove that I have logged in.
This cookie has the HttpOnly flag set, which I understand to be best practice to prevent XSS vulnerabilities being exploited by a malicious website.
However, as expected, Javascript within my application does not have access to the login cookie, so in my browser's console I see requests back to the application (trying to update dynamic content through both HTTP requests and websocket connections) being redirected to my identity provider (and blocked by CORS policy) since they do not have access to the login cookie.
- Does this mean that such an architecture cannot use Javascript to call back to the application?
- Is it common to disable the HTTPOnly flag to allow Javascript to work in such a case?
- My understanding is that Javascript from a malicious website at a different origin trying to access my application would be blocked by CORS anyway, so would keeping the HTTPOnly flag only help against attacks where the attacker managed to inject Javascript into my application?
Upvotes: 0
Views: 565
Answers (1)
Reputation: 943556
Does this mean that such an architecture cannot used Javascript?
No. It means JS cannot read data from the cookie.
I see requests back to the application (trying to update dynamic content through both HTTP requests and websocket connections) being redirected to my identity provider (and blocked by CORS policy) since they do not have access to the login cookie.
The CORS policy should not block requests because cookies are missing.
If a cookie is missing then it is probably because you are (a) getting your origins mixed up and that origin doesn't have a cookie or (b) you didn't enable the credentials option for a cross-origin request.
Is it common to disable the HTTPOnly flag to allow Javascript to work?
No.
My understanding is that Javascript from a malicious website at a different origin trying to access my application would be blocked by CORS anyway, so would keeping the HTTPOnly flag only help against attacks where the attacker managed to inject Javascript into my application?
Yes. XSS attacks are so common that there are many tools to mitigate against them. This is one of them.
Upvotes: 1
Related Questions
- How to read a HttpOnly cookie using JavaScript
- Cookie without httpOnly, how insecure it is?
- Set HttpOnly attribute of a cookie as "True" using javascript
- How can I create secure/httpOnly cookies with document.cookie?
- Set a cookie to HttpOnly via Javascript
- How do HttpOnly cookies work with AJAX requests?
- javascript sets cookie as httponly
- How do JavaScript cookies get sent to the browser, and how are they verified?
- Scriptonly cookies?
- Do (javascript) cookies work when outside of a webserver context?