anoncsrf cookie needs to be httponly and secure

VERIFIED FIXED in 6.0.8

Status

addons.mozilla.org Graveyard
Code Quality
P3
normal
VERIFIED FIXED
7 years ago
2 years ago

People

(Reporter: clouserw, Assigned: jbalogh)

Tracking

unspecified
6.0.8

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Could probably piggyback SESSION_COOKIE_SECURE if you wanted.
(Assignee)

Comment 1

7 years ago
https://github.com/mozilla/django-session-csrf/commit/e47cb576

It was already httponly, now it's secure if the request looks secure.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Comment 2

7 years ago
verified @ https://addons-next.allizom.org/en-US/firefox/users/edit

See post-fix screenshot.
Status: RESOLVED → VERIFIED

Comment 3

7 years ago
Created attachment 530360 [details]
post-fix screenshot
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.