browse: Don't leak Cookies to sessions in HTTP from HTTPS

c05c5163 · W-Mark Kubacki · 3513b6f2 · c05c5163
Commit c05c5163 authored Apr 16, 2016 by W-Mark Kubacki
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

middleware/browse/browse.go middleware/browse/browse.go +3 -3

No files found.
--- a/middleware/browse/browse.go
+++ b/middleware/browse/browse.go
@@ -315,8 +315,8 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 			listing.Sort = sortCookie.Value
 		}
 	} else { // Save the query value of 'sort' and 'order' as cookies.
-		http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: "/"})
-		http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"})
+		http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: bc.PathScope, Secure: r.TLS != nil})
+		http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil})
 	}

 	if listing.Order == "" {
@@ -325,7 +325,7 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
 			listing.Order = orderCookie.Value
 		}
 	} else {
-		http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"})
+		http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil})
 	}

 	listing.applySort()