CVE-2010-4312

Отчет

This issue is only a defense-in-depth measure, and we currently have no plans to fix this flaw in Red Hat Enterprise Linux 6. The use of the useHttpOnly setting in Tomcat only prohibits client scripts from accessing cookies when it is correctly implemented in the user's web browser. The use of httpOnly does not guarantee XSS protection; it is only a defense-in-depth measure. Additionally, implementing this as a default setting could have negative impact on existing expected behavior in client scripts. As a result, the Red Hat Security Response Team has determined that this issue is not a security flaw, but a proactive hardening measure and the risk associated with implementing it by default and possibly breaking expected behaviour is greater than any benefits it provides. Users who wish to take advantage of this hardening measure can enable useHttpOnly by adding '' to the default context.xml or a specific web-application context.