Posted by Sijmen Ruwhof on Feb 12

Hi Joey,

In my research I found out that the ‘x-frame-options’ solution doesn’t
protect against session hijacking via session cookie theft. It is very
important that you also need to add ‘HttpOnly’ flags on all cookies.

I’ve published an overview of my research, additional mitigations and
supporting evidence in a web log article:

http://sijmen.ruwhof.net/weblog/427-mitigations-against-critical-universal-c…