Y
Hacker News
new
|
ask
|
show
|
jobs
by
mr_toad
2396 days ago
> The only very minor difference between first and third party script inclusion is access to HttpOnly cookies
That’s not a minor difference, http only is used for authentication.
1 comments
jefftk
2396 days ago
Correct. Authentication should always be via cookies with "HttpOnly" set, since (a) the cookie is not needed client side and (b) it somewhat limits the damage XSS can do.
link