Why Aren't HTTP-only Cookies More Widely Deployed?
Yuchen Zhou and David Evans
University of Virginia
Web 2.0 Security and Privacy (W2SP 2010)
HTTP-only cookie deployment timeline
HTTP-only cookies were introduced eight years ago as a simple way to prevent cookie-stealing through cross-site scripting attacks. Adopting HTTP-only cookies seems to be an easy task with no significant costs or drawbacks, but many major websites still do not use HTTP-only cookies. This paper reports on a survey of HTTP-only cookie use in popular websites, and considers reasons why HTTP-only cookies are not yet more widely deployed.
Full paper (5 pages): PDF