Reply content:
http-only can prevent cookies from being stolen, but it is not a panacea. Convenience and security always run counter to each other. In terms of development, unless the overall architecture is deployed with httponly at the beginning, the later maintenance costs will be relatively low. Otherwise, in the later stages, it will generally be relatively difficult to deploy httponly. Mainly reflected in: when the business line is very long, deploying httponly is equivalent to affecting the whole body.
Take Tencent as an example: you will find a piece of code in it:
document.domain="
http://qq.com";
that is, different second-level domain names*.
http: //qq.com and even higher-level domain names can synchronize user information such as cookies.
This brings about an improvement in user experience, but it also foreshadows security issues.
What can a second-level domain name xss from Tencent do? You can watch this video from pkav:
Is the Internet really safe? http://v.qq.com/boke/play/t/v/m/t1063qxrovm.html?_out=102 Well, so much has been said above, let’s summarize:
1 , Whether httponly is popularized [widely used] depends on the scenario. Talking about httponly without the scenario is to be a hooligan.
2. httponly is not a panacea. Apache's cve-2012-0053 can break through httponly.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
