Contrib.social

Set big_pipe_nojs cookie with HttpOnly=true

Open on Drupal.org β†’
Created on 3 May 2024, 8 months ago

Problem/Motivation

Security scans are calling out the setting of big_pipe_nojs cookie without HTTPOnly flag.

Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.

There are few questions:

  1. I am not a BigPipe expert but I wasn't able to find any JS usage of this cookie. Do we really need to keep HttpOnly - false?
  2. If we really need HttpOnly - false - can we add it to docs, with explanation why it should not be treated as a security issue. (As I understand even if this cookie is stolen, the user account cannot be compromised.

Steps to reproduce

  1. Enable the BigPipe module
  2. Open the page /big_pipe/no-js?destination=...some_desitantion...

Proposed resolution

N/A

Remaining tasks

N/A

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

✨ Feature request
Status

Active

Version

9.5

Component
BigPipeΒ  β†’

Last updated 3 days ago

Created by

πŸ‡ΊπŸ‡¦Ukraine max-kuzomko

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @max-kuzomko
  • Status changed to Postponed: needs info 8 months ago
  • Comment 8 months ago β†’
    cilefen

    Drupal 9 is end-of-life and has no security support. Update to a supported version.

  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡¦Ukraine max-kuzomko
  • Status changed to Active 8 months ago
  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡¦Ukraine max-kuzomko

    @cilefen, the same issue in Drupal 10.1:

    core/modules/big_pipe/src/Controller/BigPipeController.php
    $response->headers->setCookie(new Cookie(BigPipeStrategy::NOJS_COOKIE, TRUE, 0, '/', NULL, FALSE, FALSE, FALSE, NULL));

    It sets HttpOnly to FALSE.

  • Comment 8 months ago β†’
    cilefen
  • Comment 7 months ago β†’
    πŸ‡―πŸ‡΄Jordan mohammad-fayoumi Amman

    I've encountered this issue and realized that we need to secure the cookies by ensuring our website is configured to use HTTPS, which involves having an SSL/TLS certificate installed. Additionally, the cookies should have the Secure attribute.

    There are multiple ways to add these security flags, either by editing the application code (bigpipe code) or updating the web server configuration files, such as the Apache configuration file (httpd.conf or apache2.conf).

    Apache configuration file (httpd.conf or apache2.conf).

    <IfModule mod_headers.c>
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>
  • Comment 2 months ago β†’
    πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί

    bigpipe explicitly sets the secure and httponly attributes to false.

    What's the justification for that to be changed?

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#block_access_t...

    The big_pipe_nojs cookie is just a boolean flag, the purpose of which is explained in \Drupal\big_pipe\Render\Placeholder\BigPipeStrategy

    The HTTPonly and Secure attributes are intended to protect potentially sensitive information contained in cookies, and to prevent JS/client side code from being able to manipulate sensitive cookies.

    None of that applies to this cookie, so it's legitimate for it not to have those attributes set.

    Is the only reason to change them to prevent false positives from security scans?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024