Bugzilla cookies HTTP only
Gervase Markham
gerv at mozilla.org
Wed Jan 13 16:37:09 UTC 2010
What exactly are the security benefits we get from having our cookies
HTTPonly?
I ask because I was hoping to allow Greasemonkey scripts/Jetpacks etc.
which run in the context of Bugzilla pages to grab the auth cookie and
pass it on to the API, which can then use it to access Bugzilla. This
obviates the rather irritating and insecure step of having to configure
every Jetpack or Greasemonkey script with your Bugzilla username and
password. However, having refactored BzAPI for this to work, I now
realise the cookies are HTTPonly and I can't get to them :-|
The usual threat that HTTPonly is said to protect against is cookie
stealing by malicious scripts.
1) It doesn't work, because if they've managed to get code running in
your Bugzilla page context, the attacker can just make any requests they
want using XMLHttpRequest, and the auth cookies will get sent right along:
http://www.gnucitizen.org/blog/why-httponly-wont-protect-you/
2) Large sites now use a different domain name for attachments anyway.
Given the above, should we reconsider the HTTPonly nature of Bugzilla
cookies? Or are there attacks it mitigates which I've missed?
Gerv
_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-apps-bugzilla
More information about the developers
mailing list