Benjamin_Loison/nginx
1
0
Code Issues 4 Packages Projects Wiki

Do not share cookies between HOSTNAME/git/ and HOSTNAME/doc/ #5

New Issue
Open
opened 2025-02-18 12:06:37 +01:00 by Benjamin_Loison · 3 comments
Benjamin_Loison commented 2025-02-18 12:06:37 +01:00
Owner
Copy Link

Currently I figured out that git (Gitea) cookies are sent when requesting doc (BookStack). This may be a security issue, depending on sub websites we host and more or less trust.

The HOSTNAME I have in mind and its Nginx configuration are: 
-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAN8nHwcnIP+Xk6j9equhEBMcxhu+p4MM9+fWGjZSPln8w
cvSsxXuaGcOsDTUAWiwMkCIXSFlhEjshequf9arpz/hTMewVdbzNKsrIYkcjYc77
0qoBjhHSkmr64axbBBS6zEJjNNpyc7GFSqvLWLKgjEH44gEsb7ETikTaZdwwrs0O
PCHeJj9/4CjOpaRCwfsRunvh/Y+BPlYxGvpq9+TxcMRtFBG5WoY7/ndeR74p6+Zj
MmIHUxKdDIcm1pkbIX0sJEnzXqQv6mzWGd/8kvWdJInWa1Tad188BWTo2JaqWoab
Ewyg4OgLsB77wu75ATPAZfsPS9eeZZMHc+cY4g==
=1c2v
-----END PGP MESSAGE-----
I notified the website owner, see my message: 
-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAQZIz6Zq9bx52ABP9Eqru+HKOVPcOL33P9mA1GM2H5mUw
jF1vGQT3Ghu+abct3+UBN4C2NCEXSodVSLjVYYEY27Evgv4ApOiLiVkqrlZrien5
0qoBVOKAlGnqMz9vElHRWVAYhP7hGLKw3bjhDyH9jbtp5iu9tfWNY6j/zRQZqdGf
vVB7HMfa15aIUPSoDjLBD6hGk1Bvugh7IraJvWOnFpWaCixB/eB2k8N3GH3Ud4z5
N35ptumRc56n2VBRJTeb12AvF/9WRLWn/Wt1yGdswCXsItbqKQaHdbB/voG/wWtB
dZ4LtdcwGKETCIITx3zCtX6RbK2T25GZOrJLkw==
=iBfd
-----END PGP MESSAGE-----
Currently I figured out that `git` (Gitea) cookies are sent when requesting `doc` (BookStack). This may be a security issue, depending on sub websites we host and more or less trust. <details> <summary>The <code>HOSTNAME</code> I have in mind and its Nginx configuration are:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAN8nHwcnIP+Xk6j9equhEBMcxhu+p4MM9+fWGjZSPln8w cvSsxXuaGcOsDTUAWiwMkCIXSFlhEjshequf9arpz/hTMewVdbzNKsrIYkcjYc77 0qoBjhHSkmr64axbBBS6zEJjNNpyc7GFSqvLWLKgjEH44gEsb7ETikTaZdwwrs0O PCHeJj9/4CjOpaRCwfsRunvh/Y+BPlYxGvpq9+TxcMRtFBG5WoY7/ndeR74p6+Zj MmIHUxKdDIcm1pkbIX0sJEnzXqQv6mzWGd/8kvWdJInWa1Tad188BWTo2JaqWoab Ewyg4OgLsB77wu75ATPAZfsPS9eeZZMHc+cY4g== =1c2v -----END PGP MESSAGE----- ``` </details> <details> <summary>I notified the website owner, see my message:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAQZIz6Zq9bx52ABP9Eqru+HKOVPcOL33P9mA1GM2H5mUw jF1vGQT3Ghu+abct3+UBN4C2NCEXSodVSLjVYYEY27Evgv4ApOiLiVkqrlZrien5 0qoBVOKAlGnqMz9vElHRWVAYhP7hGLKw3bjhDyH9jbtp5iu9tfWNY6j/zRQZqdGf vVB7HMfa15aIUPSoDjLBD6hGk1Bvugh7IraJvWOnFpWaCixB/eB2k8N3GH3Ud4z5 N35ptumRc56n2VBRJTeb12AvF/9WRLWn/Wt1yGdswCXsItbqKQaHdbB/voG/wWtB dZ4LtdcwGKETCIITx3zCtX6RbK2T25GZOrJLkw== =iBfd -----END PGP MESSAGE----- ``` </details>
👍 1
Benjamin_Loison commented 2025-02-18 12:10:01 +01:00
Author
Owner
Copy Link

I suspect some fields of Web Developer Tools > Storage > Cookies to help like Path and SameSite.

I suspect some fields of *Web Developer Tools* > *Storage* > *Cookies* to help like *Path* and *SameSite*.
Benjamin_Loison commented 2025-02-18 12:13:21 +01:00
Author
Owner
Copy Link

Related to Benjamin_Loison/BookStack/issues/6.

Related to [Benjamin_Loison/BookStack/issues/6](https://codeberg.org/Benjamin_Loison/BookStack/issues/6).
Benjamin_Loison commented 2025-02-18 23:56:42 +01:00
Author
Owner
Copy Link

Related to Benjamin-Loison/darkreader/issues/27.

Related to [Benjamin-Loison/darkreader/issues/27](https://github.com/Benjamin-Loison/darkreader/issues/27).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Benjamin_Loison
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Loison/nginx#5
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?