Set big_pipe_nojs cookie with secure flag

Created on 8 July 2021, almost 4 years ago

Updated 1 September 2022, over 2 years ago

Problem/Motivation

Security scans are calling out the setting of big_pipe_nojs cookie without the 'secure' flag set as an OWASP Vulnerability

5.2.2 Cookie Security: Cookie not Sent Over SSLMedium
CWE-614
OWASP Top 10: A3
PCI 3.2: 4.1 Use strong cryptography and security protocols, 6.5.4 Insecure Communications

While this is reflected as a security issue, I dont think it should be formally reported as such.

Steps to reproduce

N/A

Proposed resolution

where big_pipe_nojs cookie is set, ensure the 'secure' flag is set

Remaining tasks

N/A

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

✨ Feature request

Status

Needs work

Version

9.5

Component

BigPipe →

Last updated 4 days ago

Maintained by
🇧🇪Belgium @wim leers
🇩🇪Germany @Fabianx

Created by

🇺🇸United States kkohlbrenner Saint Louis, MO

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.0 & MySQL 5.7
last update almost 2 years ago
Composer error. Unable to continue.
Comment 10 months ago →
🇦🇺Australia seamus_lee
I have re-rolled the patch taking into account the feedback in #14. I am not sure what to do about the tests as I'm not sure how you can mock a secured v non secured http request
Comment 4 days ago →
🇮🇳India manish-31
I have added re-roll patch of the patch in #18 for 11.x version

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024