Remove Set-Cookie .... HttpOnly;secure to allow CSRF access
Angular (running in the page) can't access the CSRF token if the cookie is set to secure. This is a temporary patch to resolve the issue whilst a more permanent fix is found. This reverts patch I1ded951d79ad9fa832d1e88f656a1e064b1ef007 (essentially). Change-Id: Ied9d0f5486c260a17da9375ec6347d0952154225 Related-Bug: #1822751 Closes-Bug: #1853173
This commit is contained in:
parent
3c1daae756
commit
2ac72c39b4
@ -44,7 +44,8 @@ NameVirtualHost *:{{ 443 }}
|
|||||||
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
|
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
|
||||||
{% if enforce_ssl %}
|
{% if enforce_ssl %}
|
||||||
Header set Strict-Transport-Security "max-age={{ hsts_max_age_seconds }}"
|
Header set Strict-Transport-Security "max-age={{ hsts_max_age_seconds }}"
|
||||||
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
|
# NOTE(ajkavanagh) due to Bug 1853173 the cookie can't be secure at this time, so disabling until a fix is found.
|
||||||
|
# Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
|
||||||
{% endif %}
|
{% endif %}
|
||||||
Header set X-XSS-Protection "1; mode=block"
|
Header set X-XSS-Protection "1; mode=block"
|
||||||
Header set X-Content-Type-Options "nosniff"
|
Header set X-Content-Type-Options "nosniff"
|
||||||
|
Loading…
Reference in New Issue
Block a user