• Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Low Low
    • 2.2 Iteration 2, 2.2
    • 2.0
    • Crowd 2.0.0 (Build:#406 - Jul 29, 2009)
      Sun Java 1.6.0_16, JVM 14.2-b01

      Like FE-899

      Set-up is something like this:

      • SSO domain is .example.com
      • Crowd-authenticated sites are {wiki,bugs,crowd}.example.com
      • Additionally, webdav.example.com allows users to easily make test websites

      Even though webdav.example.com is configured to only allow static content, JavaScript can still steal cookies (tested with <script>document.write(document.cookie)</script>).

      Admittedly, the "correct" fix is to stick "trusted" content under a different subdomain (.secure.example.com) but that gets messy. Additionally, it's perfectly feasible to make webdav.example.com Crowd-authenticated but not wish for embedded JS to read the same cookies (this can be fixed by making webdav.example.com serve application/octet-stream, Content-Disposition: attachment and moving the "normal" server to webdav.example.net, but that's even messier).

            [CWD-1848] crowd.token_key cookie should be HttpOnly

            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 1510132 ] New: JAC Bug Workflow v3 [ 3365536 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 [ 1392939 ] New: Simplified Crowd Development Workflow v2 - restricted [ 1510132 ]
            Owen made changes -
            Workflow Original: Crowd Development Workflow v2 [ 273700 ] New: Simplified Crowd Development Workflow v2 [ 1392939 ]
            Piyawoot Songsiritat [Atlassian] made changes -
            Resolution New: Duplicate [ 3 ]
            Status Original: Technical Review [ 10028 ] New: Resolved [ 5 ]

            Fixed in CWD-1948

            Piyawoot Songsiritat [Atlassian] added a comment - Fixed in CWD-1948
            Piyawoot Songsiritat [Atlassian] made changes -
            Status Original: In Progress [ 3 ] New: Technical Review [ 10028 ]
            James Wong made changes -
            Fix Version/s New: 2.2 Iteration 2 [ 15835 ]
            Fix Version/s Original: 2.2 Iteration 1 [ 15782 ]
            James Wong made changes -
            Fix Version/s New: 2.2 Iteration 1 [ 15782 ]
            Piyawoot Songsiritat [Atlassian] made changes -
            Status Original: Open [ 1 ] New: In Progress [ 3 ]
            James Wong made changes -
            Assignee Original: James Wong [ 4c7409f97ecf ] New: Piyawoot Songsiritat [Atlassian] [ psongsiritat ]

              psongsiritat Piyawoot Songsiritat [Atlassian]
              0b1305f102cb T Chan
              Affected customers:
              2 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: