-
Type:
Improvement
-
Resolution: Duplicate
-
Priority:
Minor
-
Component/s: core
The session cookie does not have HttpOnly flag set, so a malicious script could use it to forge a XSS attack. This isn't a direct security issue, as jenkins prevent arbitrary script to be included, just would offer a a second line of defense in case another security issue is detected.
- duplicates
-
JENKINS-27277 ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie no HttpOnly flag
-
- Resolved
-
