Description of problem:
No "HttpOnly" flag is used in HTTP response header when a new cookie is generated. The flag could mitigate the risk of client side script accessing the protected cookie.
Version-Release number of selected component (if applicable):
oVirt 3.4.0-5 beta3
Steps to Reproduce:
1. Clear web cache and login to https://<host_ip>/ovirt-engine/webadmin
2. Check the "Set-cookie" header
No "HttpOnly" flag is used in "Set-cookie" header
Use response header X-Content-Type-Options: nosniff to prevent MIME sniffing or make sure MIME type mismatch not exist.
Sorry for wrong typing, the Expected results is not correct. It should be:
Add "HttpOnly" to cookie when server generating cookies.
ReportModel, which I opened bug#1095242.
ClientStorageImpl which may suffer from the same, I am unsure as I do not think it accesses the server cookies.
patch reverted, moving to ASSIGNED.
HttpOnly is set for JSESSIONID in 3.5.0-0.11.beta.el6ev.
oVirt 3.5 has been released and should include the fix for this issue.