Freeze Break request: set httponly True in all our TG1 apps
Toshio Kuratomi
a.badger at gmail.com
Fri Mar 23 18:35:12 UTC 2012
+1
-Toshio
On Fri, Mar 23, 2012 at 02:23:09PM -0400, seth vidal wrote:
> On Fri, 23 Mar 2012 12:22:04 -0600
> Kevin Fenzi <kevin at scrye.com> wrote:
>
> > Greetings.
> >
> > See this ticket for some background:
> >
> > https://fedorahosted.org/fedora-infrastructure/ticket/3022
> >
> > I have tested all these in staging, so I don't think there will be any
> > issues with anything, but if so we can always revert pretty easily.
> > I also set secure on all our TG1 apps that didn't have that set.
> >
> > +1s?
> >
> > kevin
> > --
> > diff --git a/modules/bodhi/templates/bodhi-prod.cfg.erb
> > b/modules/bodhi/templates/bodhi-prod.cfg.erb index 9c176de..d554253
> > 100644 --- a/modules/bodhi/templates/bodhi-prod.cfg.erb
> > +++ b/modules/bodhi/templates/bodhi-prod.cfg.erb
> > @@ -71,6 +71,7 @@
> > identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity"
> > visit.manager="jsonfas2"
> > visit.saprovider.model="fedora.accounts.tgfas.Visit"
> > visit.cookie.secure = True +visit.cookie.httponly = True
> >
> > # Our identity that we use to fetch bugzilla details and such
> > bodhi_password='<%= bodhiBugzillaPassword %>'
> > diff --git a/modules/elections/templates/elections-prod.cfg.erb
> > b/modules/elections/templates/elections-prod.cfg.erb index
> > d1bfc24..0b379fd 100644 ---
> > a/modules/elections/templates/elections-prod.cfg.erb +++
> > b/modules/elections/templates/elections-prod.cfg.erb @@ -45,6 +45,9
> > @@ autoreload.on=False autoreload.package="elections"
> > server.log_to_screen=False
> >
> > +visit.cookie.secure = True
> > +visit.cookie.httponly = True
> > +
> > # Auto-Reload after code modification
> > # autoreload.on = True
> >
> > diff --git a/modules/fas/templates/fas.cfg.erb
> > b/modules/fas/templates/fas.cfg.erb index 08b58ff..3232b40 100644
> > --- a/modules/fas/templates/fas.cfg.erb
> > +++ b/modules/fas/templates/fas.cfg.erb
> > @@ -117,7 +117,7 @@ server.log_to_screen = False
> > # Make the session cookie only return to the host over an SSL link
> > visit.cookie.secure = True
> > session_filter.cookie_secure = True
> > -
> > +visit.cookie.httponly = True
> >
> > ###
> > ### Communicating to other services
> > diff --git
> > a/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb
> > b/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb index
> > 32c3d91..a3674b6 100644 ---
> > a/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb +++
> > b/modules/mirrormanager/templates/mirrormanager-prod.cfg.erb @@ -61,6
> > +61,7 @@
> > identity.saprovider.model.visit="fedora.accounts.tgfas.VisitIdentity"
> > visit.manager="jsonfas2"
> > visit.saprovider.model="fedora.accounts.tgfas.Visit"
> > visit.cookie.secure = True +visit.cookie.httponly = True
> > mirrormanager.admin_group = 'sysadmin-web'
> > mirrormanager.max_stale_days = 2 diff --git
> > a/modules/smolt/templates/prod.cfg.erb
> > b/modules/smolt/templates/prod.cfg.erb index 0e10dbd..2c34b3d 100644
> > --- a/modules/smolt/templates/prod.cfg.erb +++
> > b/modules/smolt/templates/prod.cfg.erb @@ -60,6 +60,9 @@
> > tg.strict_parameters = True tg.ignore_parameters = ["_csrf_token"]
> > tg.scheduler = True
> >
> > +visit.cookie.secure = True
> > +visit.cookie.httponly = True
> > +
> > # LOGGING
> > # Logging configuration generally follows the style of the standard
> > # Python logging module configuration. Note that when specifying
>
>
> +1
>
> -sv
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20120323/8181c1b9/attachment.sig>
More information about the infrastructure
mailing list