Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-1848

crowd.token_key cookie should be HttpOnly

    XMLWordPrintable

    Details

      Description

      Like FE-899

      Set-up is something like this:

      • SSO domain is .example.com
      • Crowd-authenticated sites are {wiki,bugs,crowd}.example.com
      • Additionally, webdav.example.com allows users to easily make test websites

      Even though webdav.example.com is configured to only allow static content, JavaScript can still steal cookies (tested with <script>document.write(document.cookie)</script>).

      Admittedly, the "correct" fix is to stick "trusted" content under a different subdomain (.secure.example.com) but that gets messy. Additionally, it's perfectly feasible to make webdav.example.com Crowd-authenticated but not wish for embedded JS to read the same cookies (this can be fixed by making webdav.example.com serve application/octet-stream, Content-Disposition: attachment and moving the "normal" server to webdav.example.net, but that's even messier).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              psongsiritat Piyawoot Songsiritat [Atlassian]
              Reporter:
              tchan T Chan
              Votes:
              2 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: