Manual:$wgCookieHttpOnly

Details
Set the  flag on all cookies set by MediaWiki (to prevent access from JavaScript). This can mitigate some classes of XSS attacks.

Browsers known to support HttpOnly

 * IE/Win 6 SP1 or 7
 * Firefox 2.0.0.5 or later
 * Opera 9.50 beta
 * Konqueror (3.4?)

Browsers known to ignore HttpOnly
Browsers that don't understand HttpOnly cookies should still store and use the cookie as normal, but will still expose them to JavaScript code.


 * Safari 3.1
 * Opera 9.27 (current non-Beta release)
 * Old scary browsers like IE for Mac and Netscape 4 ;)