|
|
|
|
|
|
by nemothekid
3675 days ago
|
|
|
The blog post tackles this. As I understand it, if the attacker can run `localStorage.getItem` on your webpage, you are already screwed. They will just craft an AJAX request, which will have the `httpOnly` cookies tagged on, and send that data back to the attacker's servers. `httpOnly` doesn't protect you from anything if you are using those same cookies in AJAX requests. |
|
|