[Tools] testbot/web: Only allow retrieving our cookies through Http.
Francois Gouget
fgouget at codeweavers.com
Tue Jul 11 05:39:59 CDT 2017
The WineTestBot JavaScript code does not need to access cookies so
reduce the attack surface (and possibly prevent some XSS attacks).
Signed-off-by: Francois Gouget <fgouget at codeweavers.com>
---
testbot/lib/WineTestBot/CGI/PageBase.pm | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/testbot/lib/WineTestBot/CGI/PageBase.pm b/testbot/lib/WineTestBot/CGI/PageBase.pm
index 0f89e462..04759ca0 100644
--- a/testbot/lib/WineTestBot/CGI/PageBase.pm
+++ b/testbot/lib/WineTestBot/CGI/PageBase.pm
@@ -163,7 +163,8 @@ sub SetCookies($)
$Cookie = CGI::Cookie->new(-Name => "SessionId",
-Value => $Session->Id,
-Expires => $Expire,
- -Secure => $UseSSL);
+ -Secure => $UseSSL,
+ -HttpOnly => 1);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
}
else
@@ -183,7 +184,8 @@ sub SetCookies($)
$Cookie = CGI::Cookie->new(-Name => "SessionActive",
-Value => $SessionPermanent,
-Expires => $Expire,
- -Secure => !1);
+ -Secure => !1,
+ -HttpOnly => 1);
$Request->err_headers_out->add("Set-Cookie", $Cookie);
}
else
--
2.13.2
More information about the wine-patches
mailing list