Launchpad session cookie is accessible from Javascript
Bug #96878 reported by
James Henstridge
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
William Grant | ||
Python |
Fix Committed
|
Unknown
|
Bug Description
By default cookies are available to javascript running in the page. While this is not a problem in theory, if Launchpad had an cross site scripting hole it would expose our session credentials, which could then be passed to another site.
Apparently Internet Explorer 6 implements an extension to the Set-Cookie header that has been adopted for Firefox 3 that can help here:
https:/
So if we send the cookie as:
Set-Cookie: launchpad=XXXXXX; domain=
Then it will be sent back to us as before, but will not be accessible to the page in document.cookies.
Related branches
lp:~wgrant/launchpad/secure-headers
- Curtis Hovey (community): Approve (code)
-
Diff: 292 lines (+93/-20)10 files modifiedlib/lp/code/stories/webservice/xx-branchmergeproposal.txt (+2/-0)
lib/lp/hardwaredb/stories/hwdb/xx-hwdb.txt (+2/-0)
lib/lp/registry/stories/productrelease/xx-productrelease-rdf.txt (+1/-0)
lib/lp/registry/stories/productseries/xx-productseries-rdf.txt (+1/-0)
lib/lp/services/oauth/stories/request-token.txt (+1/-1)
lib/lp/services/webapp/servers.py (+20/-1)
lib/lp/services/webapp/session.py (+5/-3)
lib/lp/services/webapp/tests/test_servers.py (+35/-1)
lib/lp/services/webapp/tests/test_session.py (+24/-7)
lib/lp/testing/tests/test_yuixhr_fixture.js (+2/-7)
Changed in python: | |
status: | Unknown → Fix Committed |
Changed in launchpad-foundations: | |
status: | New → Won't Fix |
status: | Won't Fix → New |
status: | New → Confirmed |
Changed in launchpad-foundations: | |
importance: | Undecided → High |
security vulnerability: | no → yes |
Changed in launchpad-foundations: | |
milestone: | none → 10.04 |
tags: | added: bugjam2010 |
Changed in launchpad: | |
status: | Confirmed → Triaged |
summary: |
- Launchpad session cookie should be hidden from Javascript + Launchpad session cookie is accessible from Javascript |
Changed in launchpad: | |
assignee: | nobody → William Grant (wgrant) |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
It seems that the Python Cookie module (used by Zope for cookie handling) does not support custom attributes, such as HttpOnly.