[server] Set owner token cookie HttpOnly and Secure

[csweichel]

Prior the owner token could be read by a VS Code extension or a website served from a port.
Granted, not a very useful thing to do especially in the latter case, because you're already in the workspace then.

fixes #4830

[codecov]

Codecov Report

Merging #4832 (31d2ad6) into main (92a11b1) will decrease coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #4832      +/-   ##
==========================================
- Coverage   35.94%   35.92%   -0.03%     
==========================================
  Files          78       78              
  Lines       15484    15484              
==========================================
- Hits         5566     5562       -4     
- Misses       9432     9437       +5     
+ Partials      486      485       -1     

Flag	Coverage Δ
components-content-service-app	14.35% <ø> (ø)
components-content-service-lib	14.35% <ø> (ø)
components-ee-ws-scheduler-app	62.68% <ø> (-0.17%)	⬇️
components-image-builder-api-go-lib	∅ <ø> (∅)
components-image-builder-app	34.44% <ø> (ø)
components-local-app-app-darwin	?
components-local-app-app-linux	?
components-local-app-app-windows	?
components-supervisor-app	36.21% <ø> (-0.08%)	⬇️
components-workspacekit-app	∅ <ø> (∅)
components-ws-daemon-api-go-lib	∅ <ø> (∅)
components-ws-daemon-app	22.29% <ø> (ø)
components-ws-daemon-nsinsider-app	∅ <ø> (∅)
components-ws-manager-api-go-lib	∅ <ø> (∅)
components-ws-manager-app	36.68% <ø> (ø)
components-ws-proxy-app	65.84% <ø> (+0.16%)	⬆️
dev-loadgen-app	∅ <ø> (∅)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
components/ee/ws-scheduler/pkg/scheduler/state.go	90.46% <0.00%> (-0.99%)	⬇️
components/supervisor/pkg/ports/ports.go	59.85% <0.00%> (-0.36%)	⬇️
components/supervisor/pkg/terminal/terminal.go	64.19% <0.00%> (-0.31%)	⬇️
components/ws-proxy/pkg/proxy/infoprovider.go	50.34% <0.00%> (+0.68%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 92a11b1...31d2ad6. Read the comment docs.

[akosyakov]

/werft run

👍 started the job as gitpod-build-csweichel-mark-owner-token-as-http-4830.1

[akosyakov]

works as advertised

[roboquat]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: akosyakov, csweichel
To complete the pull request process, please assign jankoehnlein after the PR has been reviewed.
You can assign the PR to them by writing /assign @jankoehnlein in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• components/server/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment