Issue 2550689
Created on 2011-02-22 20:07 by joseph_myers, last changed 2012-11-10 12:13 by schlatterbeck.
msg4245 |
Author: [hidden] (joseph_myers) |
Date: 2011-02-22 20:07 |
|
When the configured URL for a Roundup tracker is an https: URL,
Roundup's cookies should be marked Secure so they do not get sent back
over non-https connections.
Roundup's cookies should also be marked HttpOnly so that any
cross-site-scripting vulnerabilities do not result in cookies being
compromised.
|
msg4501 |
Author: [hidden] (schlatterbeck) |
Date: 2012-02-23 14:00 |
|
Hopefully fixed in git c3efd9d -- I've used "secure" (not uppercase) and
HttpOnly in this peculiar case. Hope this works as intended, I have no
way to really test this. I'm keeping this open, if someone can test
this, please do and notify us here.
|
msg4671 |
Author: [hidden] (schlatterbeck) |
Date: 2012-11-10 12:13 |
|
Update: Recently tested via a proxy setup from https to http. The
cookies don't transfer through, so this works (with recent browsers).
|
|
Date |
User |
Action |
Args |
2012-11-10 12:13:05 | schlatterbeck | set | status: open -> closed messages:
+ msg4671 |
2012-02-23 14:00:40 | schlatterbeck | set | status: new -> open assignee: schlatterbeck resolution: fixed messages:
+ msg4501 nosy:
+ schlatterbeck |
2011-02-22 20:07:34 | joseph_myers | create | |
|