Could the sessionId cookie be made httpOnly to avoid potential XSS?

[Loki-Afro]

Is your feature request related to a problem? Please describe.
Currently the sessionId can not be made httpOnly

Describe the solution you'd like
sessionId to be made httpOnly

Describe alternatives you've considered
going the oauth route might not be worth it and might be affected too?

documentation I found https://docs.etherpad.org/cookies.html

[SamTV12345]

I'll check. How did you verify that the cookie can't be made httpOnly? Did you use any plugins?

[Loki-Afro]

hey @SamTV12345 i briefly checked the code and saw some discussion somewhere

i do not use any plugins.

code like this for example:

etherpad-lite/src/static/js/timeslider.ts

Line 104 in 45a906e

sessionID: Cookies.get('sessionID'),

makes it currently not possible as far as i understand

[SamTV12345]

Yeah then it's hard. I'll check if it is possible. First impression is that I have to check all the other plugins too before doing this change or I do a flag for people who want to enable it.

[SamTV12345]

I just checked. It is not feasable. We use socket.io for sending messages around. In order for the server to access the cookie you need something like a post request with the cookie but it's socket.io i.e. we need some JavaScript to send the message and the JavaScript needs access to the sessionId.

[Loki-Afro]

@SamTV12345 haven't looked so deeply into the code but isn't this approach feasible: https://stackoverflow.com/a/73338844/1248724 ?

in another project ... we are using socket.io as well, we have also have a httpOnly session cookie.