[wp-trac] [WordPress Trac] #52639: Add proper Security Attributes to the Cookies set by WordPress
WordPress Trac
noreply at wordpress.org
Wed Feb 24 15:04:27 UTC 2021
#52639: Add proper Security Attributes to the Cookies set by WordPress
-------------------------------+-------------------------------
Reporter: isaumya | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses: coding-standards
-------------------------------+-------------------------------
Comment (by isaumya):
Replying to [comment:2 SergeyBiryukov]:
> I'm also attaching a screenshot of the Chrome Dev Tools panel from an
HTTPS site, where you can clearly see the `Secure` and `HttpOnly`
attributes.
Hi @SergeyBiryukov,
Yes but the `HttpOnly` is not present in all the cookies added by WP even
in your screenshot. Some are still missing it.
Another thing I noticed on `/wp-includes/comment.php` on line no. `591` I
see this:
`$secure = ( 'https' === parse_url( home_url(), PHP_URL_SCHEME ) );`
I don't understand why this is being used instead of `is_ssl()`. Why have
repeating code that does the same thing in a different way?
Also inside `/wp-includes/pluggable.php` from line no `987` to `1011` I
see a lot of `setcookie()` without any `$secure` in them.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52639#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list