I'm working with a website system in which session and remember cookies are flagged with Secure and HttpOnly. Now because of various reasons I need to access session and remember cookies in JavaScript (WebSocket Authentication with subdomain). Is it a reasonable thing to turn off the "HttpOnly" flag of both cookies regarding security?

I am aware that this opens the door for XSS attacks to get those cookies. But if I assure there is not XSS possible, do you think it is ok?

Greetings Marvin

CodePudding user response：

While the primary reason for httpOnly is XSS, there is a risk in having cookies without this flag.

The most obvious risk is that the statement that your application is not vulnerable to XSS sounds a little overly optimistic. If you have a very good reason to assume that, fine, but one reason I would think that is if the page is just all static (but why would it set cookies then). Another reason to accept this could be if XSS is an accepted risk, like for example the app is on an origin where it doesn't matter for some good reason. But these should be thought through and probably covered in a fairly detailed threat model. Any testing or scanning would (for me) be insufficient, any mitigation in the application's code I could also not accept for various reasons, if XSS really concerns me. Like for now it might really not have exploitable XSS. What about tomorrow? In 5 years, after 30 different people changed it..?

Also httpOnly is not only against XSS in its classic sense. For example you are probably using 3rd party components, javascript not controlled by you, but loaded by your application. By having httpOnly cookies, those client-side components will also not have access to cookies, but without httpOnly they will. Do you trust them that much? Maybe you should not - or maybe it's ok, it all depends on how you model threats and what you are willing to accept.