flask: set cookie sr.ht.unified-login.v1 as HTTP-Only

The cookie that is used to authenticate user could be stolen, this happens because it is exposed to JavaScript: console.log(document.cookie) Because it is exposed, someone could potentially steal the cookie and use it as a bypass to get authenticated as a registered user, in the event of a successful XSS exploitation. References: - <https://security.stackexchange.com/questions/260296/can-someone-clone-my-session-id-cookie-and-login-as-me> - <https://flask.palletsprojects.com/en/2.3.x/api/#flask.Response.set_cookie> Signed-off-by: youkwhd <lolywk@tutanota.com>
2023-08-22 21:22:55 +07:00 · 2023-08-22 21:22:55 +07:00 · cc4467fcf4
parent 9d194be927
commit cc4467fcf4
1 changed files with 4 additions and 1 deletions
--- a/srht/flask.py
+++ b/srht/flask.py
@ -441,7 +441,9 @@ class SrhtFlask(Flask):
            if not g.current_user:
                # Clear user info cookie
                response.set_cookie(cookie_key, "",
-                        domain=global_domain, max_age=0)
+                        domain=global_domain, 
+                        httponly=True,
+                        max_age=0)
            else:
                # Set user info cookie
                user_info = g.current_user.to_dict(first_party=True)
@ -450,6 +452,7 @@ class SrhtFlask(Flask):
                response.set_cookie(cookie_key,
                        fernet.encrypt(user_info.encode()).decode(),
                        domain=global_domain,
+                        httponly=True,
                        max_age=60 * 60 * 24 * 365)

        path = request.path