Skip to content

Add cookie_options to make cookie args configurable #1231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 20, 2016
Merged

Add cookie_options to make cookie args configurable #1231

merged 2 commits into from
Mar 20, 2016

Conversation

minrk
Copy link
Member

@minrk minrk commented Mar 18, 2016

also make cookies httponly by default, since we do not need or want access to cookies in js

@willingc
Copy link
Member

@minrk This looks fine. I'm trying to reason through if a user can have a malicious entry in the cookie_options preconfigured before executing self.set_secure_cookie(self.cookie_name, str(uuid.uuid4()), **cookie_options). Nothing's jumping out at me after looking at the tornado source, but thought I would mention just in case you see anything. If not, merge 👍

@minrk minrk added this to the 4.2 milestone Mar 20, 2016
@minrk
Copy link
Member Author

minrk commented Mar 20, 2016

@willingc there's loads the user can do when in control of the server config, including arbitrarily change the behavior of any part of the server, so I don't think we need to consider malice in server-side config.

Thanks for the review!

minrk added a commit that referenced this pull request Mar 20, 2016
@minrk
Merge pull request #1231 from minrk/cookie_flags
792ff7d 
Add `cookie_options` to make cookie args configurable
@minrk minrk merged commit 792ff7d into jupyter:master Mar 20, 2016
@minrk minrk deleted the cookie_flags branch March 20, 2016 12:05
minrk added a commit that referenced this pull request Mar 25, 2016
@minrk
Backport PR #1231: Add cookie_options to make cookie args configurable
4f7825f 
also make cookies httponly by default, since we do not need or want access to cookies in js
yuvipanda pushed a commit to yuvipanda/notebook that referenced this pull request Jul 26, 2016
@minrk @yuvipanda
Backport PR jupyter#1231: Add cookie_options to make cookie args co…
38f521d 
…nfigurable

also make cookies httponly by default, since we do not need or want access to cookies in js
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

status:resolved-locked

Projects

None yet

Milestone

4.2

Development

Successfully merging this pull request may close these issues.

2 participants

@minrk @willingc