Description of problem:
No "HttpOnly" flag is used in HTTP response header when a new cookie is generated. The flag could mitigate the risk of client side script accessing the protected cookie.
Version-Release number of selected component (if applicable):
oVirt 3.4.0-5 beta3
How reproducible:
100%
Steps to Reproduce:
1. Clear web cache and login to https://<host_ip>/ovirt-engine/webadmin
2. Check the "Set-cookie" header
Actual results:
No "HttpOnly" flag is used in "Set-cookie" header
Expected results:
Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing or make sure MIME type mismatch not exist.
Additional info:
Apart of:
ReportModel, which I opened bug#1095242.
There is:
ClientStorageImpl which may suffer from the same, I am unsure as I do not think it accesses the server cookies.