Make WordPress Core

Opened 9 years ago

Closed 8 years ago

#31056 closed enhancement (fixed)

The wp-saving-post cookie should have the secure flag set when appropriate

Reported by: johnbillion's profile johnbillion Owned by: johnbillion's profile johnbillion
Milestone: 4.4 Priority: low
Severity: minor Version:
Component: Security Keywords: has-patch
Focuses: javascript Cc:


Follow-up to #28427.

The wp-saving-post cookie should have the secure flag set to true when home and siteurl both use HTTPS. This is far from critical, but this issue can get flagged up by automated penetration testing.

Attachments (1)

31056.patch (1.1 KB) - added by johnbillion 8 years ago.

Download all attachments as: .zip

Change History (6)

#1 @nacin
9 years ago

I think when the admin is forced SSL, that should be enough to force it here, right?

#2 @johnbillion
8 years ago

  • Milestone changed from Awaiting Review to 4.4

8 years ago

#3 @johnbillion
8 years ago

  • Keywords has-patch added; needs-patch removed

31056.patch addresses the secure flag when this cookie is set both server-side and client-side.

To test, you can trigger the local autosave in your browser console with this:

jQuery( 'form#post' ).trigger( 'submit.autosave-local' )

#4 @wonderboymusic
8 years ago

  • Owner set to johnbillion
  • Status changed from new to assigned

#5 @johnbillion
8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 34027:

Set the secure flag on the wp-saving-post cookie when using HTTPS.

This cookie doesn't contain any sensitive information, but this change brings its behaviour in line with all other core cookies.

Fixes #31056

Note: See TracTickets for help on using tickets.