Set big_pipe_nojs cookie with secure flag

Created on 8 July 2021, over 3 years ago

Updated 1 July 2024, 6 months ago

Problem/Motivation

Security scans are calling out the setting of big_pipe_nojs cookie without the 'secure' flag set as an OWASP Vulnerability

5.2.2 Cookie Security: Cookie not Sent Over SSLMedium
CWE-614
OWASP Top 10: A3
PCI 3.2: 4.1 Use strong cryptography and security protocols, 6.5.4 Insecure Communications

While this is reflected as a security issue, I dont think it should be formally reported as such.

Steps to reproduce

N/A

Proposed resolution

where big_pipe_nojs cookie is set, ensure the 'secure' flag is set

Remaining tasks

N/A

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

✨ Feature request

Status

Needs work

Version

11.0 🔥

Component

BigPipe →

Last updated 3 days ago

Maintained by
🇧🇪Belgium @wim leers
🇩🇪Germany @Fabianx

Created by

🇺🇸United States kkohlbrenner Saint Louis, MO

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.0 & MySQL 5.7
last update over 1 year ago
Composer error. Unable to continue.
Comment 6 months ago →
🇦🇺Australia seamus_lee
I have re-rolled the patch taking into account the feedback in #14. I am not sure what to do about the tests as I'm not sure how you can mock a secured v non secured http request

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024