GitHub user VipinRathor opened a pull request:
https://github.com/apache/zeppelin/pull/2550
[MINOR] Updated shiro.init.template to include secure cookie option
### What is this PR for?
Based on discussion in https://github.com/apache/zeppelin/pull/2545 , I'm
updating the shiro.ini.template to include secure cookie option. With this
change, Zeppelin Shiro will always set 'HttpOnly' flag in cookie. This will
help to prevent majority of cross-site scripting (XSS) attacks.
### What type of PR is it?
Minor Improvement
### What is the Jira issue?
Minor change in shiro.ini
### How should this be tested?
CI tests should pass
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? Doc changes already done in
https://github.com/apache/zeppelin/pull/2545
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/VipinRathor/zeppelin fix-shiro-template
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/2550.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2550
----
commit 1da09cf47c3e2dbf6e5eb07a9ac83993f2d2a9f3
Author: Vipin Rathor <[email protected]>
Date: 2017-08-24T06:25:15Z
[MINOR] Updated shiro.init.template to include secure cookie option
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
