Permalink
Browse files

add -httponly to all calls to CGI::Cookie->new()

  • Loading branch information...
1 parent 082e2da commit 03be0f8cede78db333f733a28bc9fd5a284c0ae8 @lstein lstein committed Jun 11, 2014
Showing with 6 additions and 0 deletions.
  1. +3 −0 Changes
  2. +2 −0 lib/Bio/Graphics/Browser2/Render.pm
  3. +1 −0 lib/Legacy/Graphics/Browser/Synteny.pm
View
@@ -1,3 +1,6 @@
+2.5?
+ * Fix cookies to carry the httponly flag, reducing chance of cross-site scripting exploits.
+
2.56
* Fix failure of feature summary message to appear on mousedown events.
@@ -771,6 +771,7 @@ sub state_cookie {
-name => $CGI::Session::NAME,
-value => $id,
-path => $path,
+ -httponly=> 1,
-expires => '+'.$globals->time2sec($globals->remember_settings_time).'s',
);
return $cookie;
@@ -785,6 +786,7 @@ sub auth_cookie {
my $remember = $self->session->remember_auth;
my @args = (-name => 'authority',
-value=> $auth,
+ -httponly=>1,
-path => $path);
if ($remember) {
push @args,(-expires => '+'.$globals->time2sec($globals->remember_settings_time).'s');
@@ -744,6 +744,7 @@ sub print_page_top {
my $cookie = CGI::Cookie->new(-name => $CGI::Session::NAME,
-value => $session->id,
-path => url(-absolute=>1),
+ -httponly => 1,
-expires => '+1d');
print_header(-cookie => [$cookie], -expires => 'now');

0 comments on commit 03be0f8

Please sign in to comment.