Description of problem: No "HttpOnly" flag is used in HTTP response header when a new cookie is generated. The flag could mitigate the risk of client side script accessing the protected cookie. Version-Release number of selected component (if applicable): oVirt 3.4.0-5 beta3 How reproducible: 100% Steps to Reproduce: 1. Clear web cache and login to https://<host_ip>/ovirt-engine/webadmin 2. Check the "Set-cookie" header Actual results: No "HttpOnly" flag is used in "Set-cookie" header Expected results: Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing or make sure MIME type mismatch not exist. Additional info:
Sorry for wrong typing, the Expected results is not correct. It should be: Expected results: Add "HttpOnly" to cookie when server generating cookies.
Apart of: ReportModel, which I opened bug#1095242. There is: ClientStorageImpl which may suffer from the same, I am unsure as I do not think it accesses the server cookies.
patch reverted, moving to ASSIGNED.
HttpOnly is set for JSESSIONID in 3.5.0-0.11.beta.el6ev.
oVirt 3.5 has been released and should include the fix for this issue.