Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24840

Session cookie not set with HttpOnly flag

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Duplicate
    • Component/s: core
    • Labels:
    • Similar Issues:

      Description

      The session cookie does not have HttpOnly flag set, so a malicious script could use it to forge a XSS attack. This isn't a direct security issue, as jenkins prevent arbitrary script to be included, just would offer a a second line of defense in case another security issue is detected.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Nicolas De Loof This is obsolete, right?

            Show
            danielbeck Daniel Beck added a comment - Nicolas De Loof This is obsolete, right?
            Hide
            danielbeck Daniel Beck added a comment -
            Show
            danielbeck Daniel Beck added a comment - Nicolas De Loof Ping

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ndeloof Nicolas De Loof
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: