Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24840

Session cookie not set with HttpOnly flag

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Duplicate
    • Icon: Minor Minor
    • core

      The session cookie does not have HttpOnly flag set, so a malicious script could use it to forge a XSS attack. This isn't a direct security issue, as jenkins prevent arbitrary script to be included, just would offer a a second line of defense in case another security issue is detected.

            Unassigned Unassigned
            ndeloof Nicolas De Loof
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: