Contrib.social

Set big_pipe_nojs cookie with HttpOnly=true

Open on Drupal.org β†’
Created on 3 May 2024, about 2 months ago
Updated 5 June 2024, 21 days ago

Problem/Motivation

Security scans are calling out the setting of big_pipe_nojs cookie without HTTPOnly flag.

Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.

There are few questions:

  1. I am not a BigPipe expert but I wasn't able to find any JS usage of this cookie. Do we really need to keep HttpOnly - false?
  2. If we really need HttpOnly - false - can we add it to docs, with explanation why it should not be treated as a security issue. (As I understand even if this cookie is stolen, the user account cannot be compromised.

Steps to reproduce

  1. Enable the BigPipe module
  2. Open the page /big_pipe/no-js?destination=...some_desitantion...

Proposed resolution

N/A

Remaining tasks

N/A

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

πŸ“Œ Task
Status

Active

Version

11.0 πŸ”₯

Component
BigPipeΒ  β†’

Last updated about 13 hours ago

Created by

πŸ‡ΊπŸ‡¦Ukraine max-kuzomko

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @max-kuzomko
  • Status changed to Postponed: needs info about 2 months ago
  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cilefen

    Drupal 9 is end-of-life and has no security support. Update to a supported version.

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡¦Ukraine max-kuzomko
  • Status changed to Active about 2 months ago
  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡¦Ukraine max-kuzomko

    @cilefen, the same issue in Drupal 10.1:

    core/modules/big_pipe/src/Controller/BigPipeController.php
    $response->headers->setCookie(new Cookie(BigPipeStrategy::NOJS_COOKIE, TRUE, 0, '/', NULL, FALSE, FALSE, FALSE, NULL));

    It sets HttpOnly to FALSE.

  • Comment about 2 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cilefen
  • Comment 21 days ago β†’
    πŸ‡―πŸ‡΄Jordan Mohammad-Fayoumi Amman

    I've encountered this issue and realized that we need to secure the cookies by ensuring our website is configured to use HTTPS, which involves having an SSL/TLS certificate installed. Additionally, the cookies should have the Secure attribute.

    There are multiple ways to add these security flags, either by editing the application code (bigpipe code) or updating the web server configuration files, such as the Apache configuration file (httpd.conf or apache2.conf).

    Apache configuration file (httpd.conf or apache2.conf).

    <IfModule mod_headers.c>
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>
contrib.social Blog FAQ Discussions
Production build 0.69.0 2024