Bug 1077450

Summary: [ovirt][webadmin] Missing cookie attributes - HttpOnly
Product: [Retired] oVirt Reporter: lzhuang <lzhuang>
Component: ovirt-engine-webadminAssignee: Alexander Wels <awels>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Beňas <pbenas>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.4CC: alonbl, bazulay, bugs, djorm, ecohen, gklein, huiwang, iheim, jechoi, juan.hernandez, khong, mgoldboi, pbenas, pstehlik, rbalakri, suli, yeylon, yuzheng, yzaslavs
Target Milestone: ---Keywords: Security
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ux
Fixed In Version: ovirt-3.5.0-beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-17 12:37:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: UX RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1095242    
Bug Blocks:    

Description lzhuang 2014-03-18 03:32:09 UTC 
Description of problem:
No "HttpOnly" flag is used in HTTP response header when a new cookie is generated. The flag could mitigate the risk of client side script accessing the protected cookie.

Version-Release number of selected component (if applicable):
oVirt 3.4.0-5 beta3

How reproducible:
100%

Steps to Reproduce:
1. Clear web cache and login to https://<host_ip>/ovirt-engine/webadmin
2. Check the "Set-cookie" header

Actual results:
No "HttpOnly" flag is used in "Set-cookie" header

Expected results:
Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing or make sure MIME type mismatch not exist.

Additional info:
Comment 1 lzhuang 2014-03-18 03:46:57 UTC 
Sorry for wrong typing, the Expected results is not correct. It should be:

Expected results:
Add "HttpOnly" to cookie when server generating cookies.
Comment 4 Alon Bar-Lev 2014-05-07 10:54:57 UTC 
Apart of:

ReportModel, which I opened bug#1095242.

There is:

ClientStorageImpl which may suffer from the same, I am unsure as I do not think it accesses the server cookies.
Comment 5 Einav Cohen 2014-05-07 13:02:42 UTC 
patch reverted, moving to ASSIGNED.
Comment 6 Petr Beňas 2014-09-23 13:53:36 UTC 
HttpOnly is set for JSESSIONID in 3.5.0-0.11.beta.el6ev.
Comment 7 Sandro Bonazzola 2014-10-17 12:37:01 UTC 
oVirt 3.5 has been released and should include the fix for this issue.