nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Take httponly off of session cookies so that the websocket works in firefox 3.x. XSS attacks would now be easier to exploit if found. A possible replacement for opening this security hole is to set a new cookie value for Firefox users that stores a randomly generated key which would give a websocket with that key access.

Browse source
This commit is contained in:
Raphael 2010-11-04 15:17:17 -07:00
parent ea0f0fbdc5
commit 229e202a72
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/initializers/session_store.rb
View file

@ -4,7 +4,7 @@
# Be sure to restart your server when you modify this file. # Be sure to restart your server when you modify this file.
Rails.application.config.session_store :cookie_store, :key => '_diaspora_session' Rails.application.config.session_store :cookie_store, :key => '_diaspora_session', :httponly => false
# Use the database for sessions instead of the cookie-based default, # Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information # which shouldn't be used to store highly confidential information

2
script/websocket_server.rb
View file

@ -25,7 +25,7 @@ def write_pidfile
end end
def debug_pp thing def debug_pp thing
pp thing if APP_CONFIG[:socket_debug] || ENV[:SOCKET_DEBUG] pp thing if APP_CONFIG[:socket_debug] || ENV['SOCKET_DEBUG']
end end
CHANNEL = Magent::GenericChannel.new('websocket') CHANNEL = Magent::GenericChannel.new('websocket')