On Mozilla's production SSO Dashboard, we have 'session' cookie as http-only, but not marked secure #378
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Admittedly, this feels more like a specific implementation issue than say core sso-dashboard code, but we can probably start here and have the issue migrated to another more appropriate place if there is one.
REQUEST:
GET /dashboard HTTP/1.1
Host: sso.mozilla.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Connection: close
Cookie: _ga=GA1.3.225014566.1530649067; _gid=GA1.3.1145898724.1555421750
RESPONSE:
HTTP/1.1 302 FOUND
Server: nginx/1.15.10
Date: Tue, 16 Apr 2019 14:05:07 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 685
Connection: close
Location: https://auth.mozilla.auth0.com/authorize?REDACTED
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' ajax.googleapis.com fonts.googleapis.com https://.googletagmanager.com https://tagmanager.google.com https://.google-analytics.com https://cdn.sso.mozilla.com https://cdn.sso.allizom.org; font-src 'self' fonts.googleapis.com fonts.gstatic.com https://cdn.sso.mozilla.com https://cdn.sso.allizom.org; img-src 'self' https://.mozillians.org https://cdn.sso.mozilla.com https://cdn.sso.allizom.org https://.google-analytics.com https://.gravatar.com https://i0.wp.com/ https://i1.wp.com; style-src 'self' ajax.googleapis.com fonts.googleapis.com https://cdn.sso.mozilla.com https://cdn.sso.allizom.org
X-Content-Security-Policy: default-src 'self'; script-src 'self' ajax.googleapis.com fonts.googleapis.com https://.googletagmanager.com https://tagmanager.google.com https://.google-analytics.com https://cdn.sso.mozilla.com https://cdn.sso.allizom.org; font-src 'self' fonts.googleapis.com fonts.gstatic.com https://cdn.sso.mozilla.com https://cdn.sso.allizom.org; img-src 'self' https://.mozillians.org https://cdn.sso.mozilla.com https://cdn.sso.allizom.org https://.google-analytics.com https://.gravatar.com https://i0.wp.com/ https://i1.wp.com; style-src 'self' ajax.googleapis.com fonts.googleapis.com https://cdn.sso.mozilla.com https://cdn.sso.allizom.org
Referrer-Policy: strict-origin-when-cross-origin
Set-Cookie: session=REDACTED; Domain=.sso.mozilla.com; HttpOnly; Path=/
Strict-Transport-Security: max-age=15724800; includeSubDomains
Recommendation: Include a secure attribute on the 'session' cookie. The rationale for doing so is to prevent an attacker from being able to elicit http requests for the sso.mozilla.com domain and effectively leak the token in clear-text on the wire where a well positioned attacker (think coffee shop scenario) would have visibility to it.
The text was updated successfully, but these errors were encountered: