From c05c5163e293c92f7e5562df558fe955c7075f7a Mon Sep 17 00:00:00 2001 From: W-Mark Kubacki Date: Sat, 16 Apr 2016 21:37:06 +0200 Subject: [PATCH] browse: Don't leak Cookies to sessions in HTTP from HTTPS --- middleware/browse/browse.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/middleware/browse/browse.go b/middleware/browse/browse.go index 0a874ec64..8caed54c8 100644 --- a/middleware/browse/browse.go +++ b/middleware/browse/browse.go @@ -315,8 +315,8 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) { listing.Sort = sortCookie.Value } } else { // Save the query value of 'sort' and 'order' as cookies. - http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: "/"}) - http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"}) + http.SetCookie(w, &http.Cookie{Name: "sort", Value: listing.Sort, Path: bc.PathScope, Secure: r.TLS != nil}) + http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil}) } if listing.Order == "" { @@ -325,7 +325,7 @@ func (b Browse) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) { listing.Order = orderCookie.Value } } else { - http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: "/"}) + http.SetCookie(w, &http.Cookie{Name: "order", Value: listing.Order, Path: bc.PathScope, Secure: r.TLS != nil}) } listing.applySort()