Closed
Bug 819704
Opened 12 years ago
Closed 11 years ago
SSL cookie without secure flag set on developer.mozilla.org
Categories
(developer.mozilla.org :: Security, defect, P2)
developer.mozilla.org
Security
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kontakt, Unassigned)
References
Details
(Keywords: sec-moderate, Whiteboard: [site:developer.mozilla.org][specification-like][type:bug])
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0 Build ID: 20121128204232 Steps to reproduce: Good morning, I found a vulnerability. Actual results: Description of vulnerability: Issue: SSL cookie without secure flag set Host: https://developer.mozilla.org Expected results: Secure flag must be set in SSL cookie. Thank you very much for your reply. Best Regards, Artur Czyż
assigning for verification and rating
Assignee: nobody → sbennetts
Whiteboard: [verif?]
Comment 2•12 years ago
|
||
Confirmed on the csrftoken cookie. Should probably also have the httponly flag set.
Assignee: sbennetts → administration
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-moderate
Whiteboard: [verif?] → [sec-bounty?]
Updated•12 years ago
|
Assignee: administration → nobody
Updated•11 years ago
|
Whiteboard: [sec-bounty?] → [sec-bounty?][site:developer.mozilla.org]
Updated•11 years ago
|
Flags: sec-bounty?
Whiteboard: [sec-bounty?][site:developer.mozilla.org] → [site:developer.mozilla.org]
Comment 3•11 years ago
|
||
The bounty committee has decided not to pay out on this bug due to the minimal impact of the missing SECURE flag. Luke: Can we get the SECURE flag set on MDN cookies?
Flags: sec-bounty? → sec-bounty-
Updated•11 years ago
|
Component: Login → Security
Updated•11 years ago
|
Priority: -- → P1
Updated•11 years ago
|
Whiteboard: [site:developer.mozilla.org] → [site:developer.mozilla.org][specification-like][type:bug]
Updated•11 years ago
|
Priority: P1 → P2
Comment 4•11 years ago
|
||
(In reply to David Chan [:dchan] from comment #3) > Luke: Can we get the SECURE flag set on MDN cookies? The only cookie that can be changed in one project-wide swoop is the session cookie (which is now secure). Otherwise it has to be set per-cookie, when the cookie is set. Switching to use django-session-csrf[1] (not sure why we aren't already) will remove the csrftoken cookie and stick the data in the session, which will address this particular issue (and another bug). [1] https://github.com/mozilla/django-session-csrf
Comment 5•11 years ago
|
||
(In reply to James Socol [:jsocol, :james] from comment #4) > Switching to use django-session-csrf[1] (not sure why we aren't already) > will remove the csrftoken cookie and stick the data in the session, which > will address this particular issue (and another bug). > > [1] https://github.com/mozilla/django-session-csrf That's bug 698427. Until very recently, the version of Django we were on was incompatible with django-session-csrf
Comment 6•11 years ago
|
||
https://github.com/mozilla/kuma/pull/992
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 7•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•8 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•