Allow cookie to be restricted to secure connections #261

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
3 participants
@jwb

jwb commented Mar 10, 2011

The Cookie.js module only sets the cookie without the Secure option, so the
user's session information could be sent over an open connection. This is
specifically the case if the user first accesses a canvas app using a secure
connection and then visits the application's web site using an URL specifying
http.

This change allows FB.init to accept cookie: 'secure' in addition to
cookie: true. It also assumes that if the FB session ever includes a 'secure'
property, its presence implies that the cookie should be restricted
to secure connections.

It also includes a (weak) test for the new code in cookie.js. More robust
testing depends on an approach for testing against (or mocking) secure (https:)
connections.

The tests have also been modified to allow index.html to provide an
apikey/appid that is used in the initialize.js tests. It's displayed on the
page and will allow the user to change it.

The readme.md is changed to point here for issues since the attempt to report the issue at the location referenced resulted in its immediate closure with instructions to report issues here.

readme.md
 Changed because when an issue was reported on the SDKs, it was closed with a note to report the issue on GitHub.
cookie.js, init.js
 Changed to process parameters to specify secure cookies.
index.html, initialize.js
 Changed to allow API_KEY used in tests to be set in index.html.
cookie.js
 Added test to verify secure cookie option.
@msingleton

This comment has been minimized.

Show comment Hide comment
@msingleton

msingleton May 4, 2011

  • a million

hopefully this will get accepted soon

  • a million

hopefully this will get accepted soon

@oyvindkinsey

This comment has been minimized.

Show comment Hide comment
@oyvindkinsey

oyvindkinsey Jul 9, 2012

Contributor

This repository has been discontinued.

Contributor

oyvindkinsey commented Jul 9, 2012

This repository has been discontinued.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment