Manual:$wgCookieHttpOnly/ja

詳細
Set the  flag on all cookies set by MediaWiki (to prevent access from JavaScript, see section 6.1.2.6 of RFC 6265). This can mitigate some classes of XSS attacks.

Browsers known to support HttpOnly

 * IE/Win 6 SP1または7
 * Firefox 2.0.0.5+
 * Opera 9.50 beta
 * Konqueror (3.4?)

Browsers known to ignore HttpOnly
Browsers that don't understand HttpOnly cookies should still store and use the cookie as normal, but will still expose them to JavaScript code.


 * Safari 3.1
 * Opera 9.27 (現状の製品版リリース (非ベータ))
 * Old scary browsers like IE for Mac and Netscape 4 ;)

外部リンク

 * Brion's blog post on the topic
 * Microsoft docs on HTTP-only cookies