Bug 1077450 - [ovirt][webadmin] Missing cookie attributes - HttpOnly
Summary: [ovirt][webadmin] Missing cookie attributes - HttpOnly
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-webadmin
Version: 3.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.5.0
Assignee: Alexander Wels
QA Contact: Petr Beňas
Whiteboard: ux
Depends On: 1095242
TreeView+ depends on / blocked
Reported: 2014-03-18 03:32 UTC by lzhuang
Modified: 2016-02-10 19:45 UTC (History)
19 users (show)

Fixed In Version: ovirt-3.5.0-beta2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-17 12:37:01 UTC
oVirt Team: UX

Attachments (Terms of Use)

Description lzhuang 2014-03-18 03:32:09 UTC
Description of problem:
No "HttpOnly" flag is used in HTTP response header when a new cookie is generated. The flag could mitigate the risk of client side script accessing the protected cookie.

Version-Release number of selected component (if applicable):
oVirt 3.4.0-5 beta3

How reproducible:

Steps to Reproduce:
1. Clear web cache and login to https://<host_ip>/ovirt-engine/webadmin
2. Check the "Set-cookie" header

Actual results:
No "HttpOnly" flag is used in "Set-cookie" header

Expected results:
Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing or make sure MIME type mismatch not exist.

Additional info:

Comment 1 lzhuang 2014-03-18 03:46:57 UTC
Sorry for wrong typing, the Expected results is not correct. It should be:

Expected results:
Add "HttpOnly" to cookie when server generating cookies.

Comment 4 Alon Bar-Lev 2014-05-07 10:54:57 UTC
Apart of:

ReportModel, which I opened bug#1095242.

There is:

ClientStorageImpl which may suffer from the same, I am unsure as I do not think it accesses the server cookies.

Comment 5 Einav Cohen 2014-05-07 13:02:42 UTC
patch reverted, moving to ASSIGNED.

Comment 6 Petr Beňas 2014-09-23 13:53:36 UTC
HttpOnly is set for JSESSIONID in 3.5.0-0.11.beta.el6ev.

Comment 7 Sandro Bonazzola 2014-10-17 12:37:01 UTC
oVirt 3.5 has been released and should include the fix for this issue.

Note You need to log in before you can comment on or make changes to this bug.