-
Bug
-
Resolution: Duplicate
-
Low
-
2.0
-
Crowd 2.0.0 (Build:#406 - Jul 29, 2009)
Sun Java 1.6.0_16, JVM 14.2-b01
Like FE-899
Set-up is something like this:
- SSO domain is .example.com
- Crowd-authenticated sites are {wiki,bugs,crowd}.example.com
- Additionally, webdav.example.com allows users to easily make test websites
Even though webdav.example.com is configured to only allow static content, JavaScript can still steal cookies (tested with <script>document.write(document.cookie)</script>).
Admittedly, the "correct" fix is to stick "trusted" content under a different subdomain (.secure.example.com) but that gets messy. Additionally, it's perfectly feasible to make webdav.example.com Crowd-authenticated but not wish for embedded JS to read the same cookies (this can be fixed by making webdav.example.com serve application/octet-stream, Content-Disposition: attachment and moving the "normal" server to webdav.example.net, but that's even messier).
- is duplicated by
-
CWD-1874 Make Crowd token cookies httponly
- Closed
[CWD-1848] crowd.token_key cookie should be HttpOnly
Workflow | Original: Simplified Crowd Development Workflow v2 - restricted [ 1510132 ] | New: JAC Bug Workflow v3 [ 3365536 ] |
Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
Workflow | Original: Simplified Crowd Development Workflow v2 [ 1392939 ] | New: Simplified Crowd Development Workflow v2 - restricted [ 1510132 ] |
Workflow | Original: Crowd Development Workflow v2 [ 273700 ] | New: Simplified Crowd Development Workflow v2 [ 1392939 ] |
Resolution | New: Duplicate [ 3 ] | |
Status | Original: Technical Review [ 10028 ] | New: Resolved [ 5 ] |
Status | Original: In Progress [ 3 ] | New: Technical Review [ 10028 ] |
Fix Version/s | New: 2.2 Iteration 2 [ 15835 ] | |
Fix Version/s | Original: 2.2 Iteration 1 [ 15782 ] |
Fix Version/s | New: 2.2 Iteration 1 [ 15782 ] |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Assignee | Original: James Wong [ 4c7409f97ecf ] | New: Piyawoot Songsiritat [Atlassian] [ psongsiritat ] |
Fixed in CWD-1948