-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid cross origin forgery by using same-site cookie (backport #2948) #2958
Conversation
Only allow access to the session cookie from the same site and not for third parties. This avoids CSRF attacks like like e.g. [BREACH](http://breachattack.com/). For more details please take a look at http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ (cherry picked from commit d65c7a3)
(cherry picked from commit d0b8867) # Conflicts: # CHANGELOG.md
Codecov Report
@@ Coverage Diff @@
## gsa-21.04 #2958 +/- ##
==========================================
Coverage 53.84% 53.84%
==========================================
Files 1075 1075
Lines 26250 26250
Branches 7506 7506
==========================================
Hits 14133 14133
Misses 11000 11000
Partials 1117 1117
Continue to review full report at Codecov.
|
@@ -21,7 +22,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). | |||
- Fixed missing name for CVE results on result detailspage [#2892](https://github.com/greenbone/gsa/pull/2892) | |||
- Fixed setting secret key in RADIUS dialog [#2891](https://github.com/greenbone/gsa/pull/2891) | |||
- Fixed setting result UUID in notes dialog [#2889](https://github.com/greenbone/gsa/pull/2889) | |||
|
|||
- Fixed setting whether to include related resources for new permissions [#2931](https://github.com/greenbone/gsa/pull/2891) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bjoernricks @greenbone/gsa-maintainers Seems those entries where unrelated to this MR and at least the RADIUS entry is now duplicated in the changelog (similar happened in #2957 as well).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an automatic backport of pull request #2948 done by Mergify.
Cherry-pick of d0b8867 has failed:
To fix up this pull request, you can check it out locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
Mergify commands and options
More conditions and actions can be found in the documentation.
You can also trigger Mergify actions by commenting on this pull request:
@Mergifyio refresh
will re-evaluate the rules@Mergifyio rebase
will rebase this PR on its base branch@Mergifyio update
will merge the base branch into this PR@Mergifyio backport <destination>
will backport this PR on<destination>
branchAdditionally, on Mergify dashboard you can:
Finally, you can contact us on https://mergify.io/