Make WordPress Core

Changes between Version 1 and Version 2 of Ticket #52639, comment 8


Ignore:
Timestamp:
06/20/2022 02:38:33 PM (2 years ago)
Author:
jornfranke
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #52639, comment 8

    v1 v2  
    1 I see this as a clear security issue if the cookie with the session id is available to JS. For instance, a cross site scripting attack can easily steal the cookie and provide it to third parties.
     1I see this as a clear security issue if the cookie with the session id is available to JS. For instance, a cross site scripting attack can easily steal the cookie and provide it to third parties. And this is not unlikely with the complex software supply chain of WP, the extensions, third party libraries (e.g. NPM) etc.
    22
    33There should be multiple defense mechanisms. HttpOnly and Secure are mandatory for sessions in cookies. There is also no doubt on that (e.g. see here: https://owasp.org/www-community/HttpOnly).