[網站資安] Http Only 保護網站的cookie不被偷取

一般網站常用cookie來記錄使用者的token，重要的cookie請使用http only來做保護。

HttpOnly cookies can in fact be remarkably effective. Here's what we know:

• HttpOnly restricts all access to document.cookie in IE7, Firefox 3, and Opera 9.5 (unsure about Safari)
• HttpOnly removes cookie information from the response headers in XMLHttpObject.getAllResponseHeaders() in IE7. It should do the same thing in Firefox, but it doesn't, because there's a bug.
• XMLHttpObjects may only be submitted to the domain they originated from, so there is no cross-domain posting of the cookies.