GitList

@@ -19,6 +19,7 @@ func NewStore(maxAgeSeconds int, secrets ...string) Store {
 	}
 	cookie := sessions.NewCookieStore(values...)
 	cookie.Options.MaxAge = maxAgeSeconds
+	cookie.Options.HttpOnly = true
 	return store{cookie}
 }
 

pkg/cmd/server/origin/auth.go

History View file @ d9e02dc

@@ -256,7 +256,7 @@ func CreateOrUpdateDefaultOAuthClients(masterPublicAddr string, assetPublicAddre
                      // getCSRF returns the object responsible for generating and checking CSRF tokens
                      func getCSRF() csrf.CSRF {
                     -	return csrf.NewCookieCSRF("csrf", "/", "", false, false)
                     +	return csrf.NewCookieCSRF("csrf", "/", "", false, true)
+                     }
                      func (c *AuthConfig) getAuthorizeAuthenticationHandlers(mux cmdutil.Mux) (authenticator.Request, handlers.AuthenticationHandler, osinserver.AuthorizeHandler, error) {

...	...	@@ -19,6 +19,7 @@ func NewStore(maxAgeSeconds int, secrets ...string) Store {
19	19	}
20	20	cookie := sessions.NewCookieStore(values...)
21	21	cookie.Options.MaxAge = maxAgeSeconds
	22	+ cookie.Options.HttpOnly = true
22	23	return store{cookie}
23	24	}
24	25

Make csrf and session cookies httpOnly