WordPress.org
Get WordPress

Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#31056 closed enhancement (fixed)

The wp-saving-post cookie should have the secure flag set when appropriate

Reported by: johnbillion's profile johnbillion Owned by: johnbillion's profile johnbillion
Milestone: 4.4 Priority: low
Severity: minor Version:
Component: Security Keywords: has-patch
Focuses: javascript Cc:

Description

Follow-up to #28427.

The wp-saving-post cookie should have the secure flag set to true when home and siteurl both use HTTPS. This is far from critical, but this issue can get flagged up by automated penetration testing.

Attachments (1)

31056.patch (1.1 KB) - added by johnbillion 11 years ago.

Download all attachments as: .zip

Change History (6)

#1 @nacin
11 years ago

I think when the admin is forced SSL, that should be enough to force it here, right?

#2 @johnbillion
11 years ago

  • Milestone changed from Awaiting Review to 4.4

@johnbillion
11 years ago

#3 @johnbillion
11 years ago

  • Keywords has-patch added; needs-patch removed

31056.patch addresses the secure flag when this cookie is set both server-side and client-side.

To test, you can trigger the local autosave in your browser console with this:

jQuery( 'form#post' ).trigger( 'submit.autosave-local' )

#4 @wonderboymusic
11 years ago

  • Owner set to johnbillion
  • Status changed from new to assigned

#5 @johnbillion
11 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 34027:

Set the secure flag on the wp-saving-post cookie when using HTTPS.

This cookie doesn't contain any sensitive information, but this change brings its behaviour in line with all other core cookies.

Fixes #31056

Note: See TracTickets for help on using tickets.