Merge pull request #6 from tagup/zlee/DEV-3545-secure-cokie

DEV-3545: secure cookie flag
tagup · Oct 18, 2023 · d6cf20e · d6cf20e
2 parents a22413a + 6be91fd
commit d6cf20e
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 3 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,5 +1,8 @@
 # Tagup Changelog
 
+## 2023-10-17
+Added the `Secure;` flag to all `Set-Cookie` headers streamlit sends. This is to remediate possible vulnerabilities that our pentesters flagged. The `Secure;` flag makes it so the browser will only pass the set cookie over https.
+
 ## 2023-06-22
 - Removed the use of the `expressionInterpreter` when rendering Vega Lite charts. Using this renderer exposes a bug where a specified x-domain results in charts not rendering correctly. See these threads for more details: https://discuss.streamlit.io/t/time-axis-with-custom-scale/33524 https://github.com/vega/vega/issues/3632
 - Pinned `wheel` to 0.40.0 to fix a build error
diff --git a/frontend/lib/src/util/utils.ts b/frontend/lib/src/util/utils.ts
@@ -282,7 +282,7 @@ export function setCookie(
 ): void {
   const expirationDate = value ? expiration : new Date()
   const expirationStr: string = expirationDate
-    ? `expires=${expirationDate.toUTCString()};`
+    ? `expires=${expirationDate.toUTCString()}; Secure;`
     : ""
   document.cookie = `${name}=${value};${expirationStr}path=/`
 }

diff --git a/frontend/package.json b/frontend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "streamlit",
-  "version": "1.26.0.dev1",
+  "version": "1.26.0.dev2",
   "private": true,
   "workspaces": [
     "app",

diff --git a/lib/setup.py b/lib/setup.py
@@ -21,7 +21,7 @@
 
 THIS_DIRECTORY = Path(__file__).parent
 
-VERSION = "1.26.0.dev1"  # PEP-440
+VERSION = "1.26.0.dev2"  # PEP-440
 
 NAME = "streamlit"