Francois Gouget : testbot/web: Only allow retrieving our cookies through Http.

[Alexandre Julliard]

Module: tools
Branch: master
Commit: f5d82db8fdded58a0524f7f1ab0a03756f6f724d
URL:    http://source.winehq.org/git/tools.git/?a=commit;h=f5d82db8fdded58a0524f7f1ab0a03756f6f724d

Author: Francois Gouget <fgouget at codeweavers.com>
Date:   Tue Jul 11 12:39:59 2017 +0200

testbot/web: Only allow retrieving our cookies through Http.

The WineTestBot JavaScript code does not need to access cookies so
reduce the attack surface (and possibly prevent some XSS attacks).

Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 testbot/lib/WineTestBot/CGI/PageBase.pm | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/testbot/lib/WineTestBot/CGI/PageBase.pm b/testbot/lib/WineTestBot/CGI/PageBase.pm
index 0f89e46..04759ca 100644
--- a/testbot/lib/WineTestBot/CGI/PageBase.pm
+++ b/testbot/lib/WineTestBot/CGI/PageBase.pm
@@ -163,7 +163,8 @@ sub SetCookies($)
       $Cookie = CGI::Cookie->new(-Name    => "SessionId",
                                  -Value   => $Session->Id,
                                  -Expires => $Expire,
-                                 -Secure  => $UseSSL);
+                                 -Secure  => $UseSSL,
+                                 -HttpOnly => 1);
       $Request->err_headers_out->add("Set-Cookie", $Cookie);
     }
     else
@@ -183,7 +184,8 @@ sub SetCookies($)
     $Cookie = CGI::Cookie->new(-Name    => "SessionActive",
                                -Value   => $SessionPermanent,
                                -Expires => $Expire,
-                               -Secure  => !1);
+                               -Secure  => !1,
+                               -HttpOnly => 1);
     $Request->err_headers_out->add("Set-Cookie", $Cookie);
   }
   else