• Icon: Improvement Improvement
    • Resolution: Duplicate
    • Icon: Minor Minor
    • core

      The session cookie does not have HttpOnly flag set, so a malicious script could use it to forge a XSS attack. This isn't a direct security issue, as jenkins prevent arbitrary script to be included, just would offer a a second line of defense in case another security issue is detected.

          [JENKINS-24840] Session cookie not set with HttpOnly flag

          Daniel Beck added a comment -

          ndeloof This is obsolete, right?

          Daniel Beck added a comment - ndeloof This is obsolete, right?

          Daniel Beck added a comment -

          ndeloof Ping

          Daniel Beck added a comment - ndeloof Ping

            Unassigned Unassigned
            ndeloof Nicolas De Loof
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: