Open main menu

Manual:$wgCookieHttpOnly


Other languages:
English • ‎polski • ‎日本語
Cookies: $wgCookieHttpOnly
Set the httpOnly flag on all cookies set by MediaWiki (to prevent access from JavaScript).
Introduced in version:1.13.0
Removed in version:still in use
Allowed values:(boolean)
Default value:true on PHP 5.2 or later, false on earlier

DetailsEdit

Set the httpOnly flag on all cookies set by MediaWiki (to prevent access from JavaScript, see section 6.1.2.6 of RFC 6265). This can mitigate some classes of XSS attacks.

Browsers known to support HttpOnlyEdit

  • IE/Win 6 SP1 or 7
  • Firefox 2.0.0.5+
  • Opera 9.50 beta
  • Konqueror (3.4?)

Browsers known to ignore HttpOnlyEdit

Browsers that don't understand HttpOnly cookies should still store and use the cookie as normal, but will still expose them to JavaScript code.

  • Safari 3.1
  • Opera 9.27 (current non-Beta release)
  • Old scary browsers like IE for Mac and Netscape 4 ;)

See alsoEdit

External linksEdit