[CMS-11994] Make locale and timezone cookies HttpOnly - Issues

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: 13.3.0
Fix Version/s: 13.3.0
Component/s: None
Labels:
None

Epic Link:
[2019Q2 KR] Fewer than 10 OWASP top-10 reports
Processed by team:
Tiger
Sprint:
Tiger Sprint 211

Description

The cookies for local and timezone are managed and used by the LoginPanel, there is no functional need for them to be read by javascript, so we should mark them HttpOnly.

The usage-statistics script still tries to read the locale cookie in case it is not provided with the 'start-usage-statistics' event, which is only true for CMS < 11.2.

I did not find any other pieces of javascript that rely on these cookies. And if there is still a need to know these values from javascript, there is a much simpler way with these two global vars:

window.Hippo.Session.locale
window.Hippo.Session.timezone

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Arthur Bogaart

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 21/Jun/19 11:05 AM

Updated:: 28/Jun/19 12:38 PM

Resolved:: 24/Jun/19 2:03 PM