search

oqtane / oqtane.framework

CMS & Application Framework for Blazor & .NET MAUI
http://www.oqtane.org
MIT License
1.9k stars 550 forks source link

Localization Cookie Static Conditional HttpOnly=True #4730

Closed thabaum closed 1 month ago

thabaum commented 1 month ago

Fix #4714

4703

4728

This adds a conditional checks in LangaugeSwitcher.razor component and App.razor component to check if current rendermode is static and set HttpOnly=True if it is for the culture cookie when created. Otherwise sets to false.

sbwalker commented 1 month ago

I am not going to merge this PR as there is the real possibility that if a site starts with Static render mode (the default) and later changes to Interactive - the users of the site would run into issues setting the language cookie and would need to manually remove the cookie from their browser in order to get it to work properly.

maurocavallin commented 1 month ago

I am not going to merge this PR as there is the real possibility that if a site starts with Static render mode (the default) and later changes to Interactive - the users of the site would run into issues setting the language cookie and would need to manually remove the cookie from their browser in order to get it to work properly.

I can confirm: whit this PR a cookie that starts httpOnly in Static mode stay unchanged when switching to interactive, then the user have to manullay remove cookie to go on.

I agree language cookie can be httpOnly=false for any mode, has no sensitive content, even being manipulated by any allowed actor on client side, it can make no harm.

thabaum commented 1 month ago

thanks for the explanation and review

thabaum commented 1 month ago

Could we expire the cookie, then create a new one?

sbwalker commented 1 month ago

@thabaum If a cookie has HttpOnly disabled it does not mean your site is vulnerable to attack. HttpOnly is only an extra layer of defense (for those browsers that actually support it). XSS requires an initial attack vector - the injection of executable JavaScript into a page. If your site allows a malicious user to inject JavaScript then they could include a script which can read the value of cookies. HttpOnly prevents scripts from reading cookie values. So it's useful as an additional safeguard for authentication cookies or cookies which store other confidential information. But if your site allows malicious scripts to be injected then you obviously have much bigger problems to worry about than just cookies.