UMB-XSRF-TOKEN cookie not set as HTTP Only

acasamassima86 commented 2 months ago

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

13.3.2

Bug summary

Umbraco uses the UMB-XSRF-TOKEN cookie for CSRF protection. However, the cookie is not currently set as Secure, meaning it can be transmitted over HTTP. This could allow an attacker to intercept the cookie and use it to forge requests to the Umbraco server.

Specifics

Umbraco uses the UMB-XSRF-TOKEN cookie for CSRF protection. However, the cookie is not currently set as Secure, meaning it can be transmitted over HTTP. This could allow an attacker to intercept the cookie and use it to forge requests to the Umbraco server.

Steps to reproduce

Open Umbraco Backoffice
Inspect the cookies in the browser developer tools
Observe that the UMB-XSRF-TOKEN cookie is not set as Secure (not HTTP Only)

Expected result / actual result

The UMB-XSRF-TOKEN cookie should be set as Secure (HTTP Only) Additional notes:

This issue has been reported previously: https://github.com/umbraco/Umbraco-CMS/issues/4138

github-actions[bot] commented 2 months ago

Hi there @acasamassima86!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
We'll replicate the issue to ensure that the problem is as described.
We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

NguyenThuyLan commented 1 month ago

Hi @acasamassima86 , thanks for reporting this. The reason that UMB_XSRF_TOKEN cookie not set as HTTP Only because the value needs to be read in JavaScript to ensure a correct XSRF token is supplied when doing API request, see MS docs: https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-8.0#javascript-ajax-and-spas

umbraco / Umbraco-CMS