Protect Against XSS by Enabling Secure and HttpOnly [#2925265]

What are your thoughts on implementing

$secure = true|false
$httponly = true|false

I propose we can do the following:
- extend the form BasicSettingsForm to provide 2 additional fields
- by default secure can be set to false
- by default httponly can be set to false
- extend the setrawcookie to use config settings.

What are your thoughts? See attched patch!

security

Comment	File	Size	Author
#10	2925265-1.patch	4.26 KB	dakku
#10	8.x-3.x: PHP 7 & MySQL 5.5, D8.5 Patch Failed to Apply
#4	Screen Shot 2017-11-21 at 4.59.41 pm.png	53.3 KB	dakku
#2	2925265.patch	4.3 KB	dakku
#2	8.x-3.x: PHP 7 & MySQL 5.5, D8.5 Patch Failed to Apply

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

21 November 2017 at 13:54

dakku created an issue. See original summary.

Comment #2

dakku CreditAttribution: dakku as a volunteer commented 21 November 2017 at 15:06

File	Size
2925265.patch	4.3 KB
8.x-3.x: PHP 7 & MySQL 5.5, D8.5 Patch Failed to Apply

Comment #3

dakku CreditAttribution: dakku as a volunteer commented 21 November 2017 at 15:14

Status:

Active

» Needs review

Comment #4

dakku CreditAttribution: dakku as a volunteer commented 21 November 2017 at 17:00

File	Size
Screen Shot 2017-11-21 at 4.59.41 pm.png	53.3 KB

Comment #5

dakku CreditAttribution: dakku as a volunteer commented 21 November 2017 at 17:01

Issue summary:

View changes

Comment #6

snufkin CreditAttribution: snufkin at Cheppers for GatherContent commented 24 November 2017 at 10:25

I think this would be a very useful addition and improvement to the module. But with making it default on the config retrieval part are we risking breaking legacy sites which do not have https?

Comment #7

dakku CreditAttribution: dakku as a volunteer commented 24 November 2017 at 13:31

Hey Balazs,
cheers for the feedback. By default, both the options are unchecked. Therefore, legacy sites shouldnt be affected. This will only take effect if the option(s) are set.

+++ b/config/install/simplesamlphp_auth.settings.yml
@@ -23,3 +23,5 @@ sync:
   user_name: true
 autoenablesaml: false
 debug: false
+secure: false
+httponly: false

Comment #8

snufkin CreditAttribution: snufkin at Cheppers for GatherContent commented 24 November 2017 at 16:19

Then thumbs up from me! There are two warnings for missing newlines from dredit, but apart from that I don't see why we shouldn't add this.

Comment #9

27 November 2017 at 09:38

dakku committed 50b7be9 on 8.x-3.x

Issue #2925265 by dakku: Protect Against XSS by Enabling Secure and...

Comment #10

dakku CreditAttribution: dakku as a volunteer commented 27 November 2017 at 09:44

File	Size
2925265-1.patch	4.26 KB
8.x-3.x: PHP 7 & MySQL 5.5, D8.5 Patch Failed to Apply

1 file was hidden/shown/deleted

File	Size
2925265.patch	4.3 KB
8.x-3.x: PHP 7 & MySQL 5.5, D8.5 Patch Failed to Apply

Slightly updated patch. Cheers for the review Balazs. This is now merged in and available in RC3

Comment #11

dakku CreditAttribution: dakku as a volunteer commented 27 November 2017 at 09:44

Status:

Needs review

» Fixed

Comment #12

11 December 2017 at 09:49

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Protect Against XSS by Enabling Secure and HttpOnly

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Comment #12

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community