Missing tag "httpOnly": true in cookie preferred_language
The cookie "preferred_language" actually comes without the tag "httpOnly": true. This was issued by our company security scan.
This tag is already set in cookie "_gitlab_session" and we need to set the tag "httpOnly" in cookie "preferred_language" to:
"_gitlab_session": {
"expires": "2023-03-08T11:01:49.000Z",
"httpOnly": true,
"path": "/",
"samesite": "None",
"secure": true,
"value": ""
},
"preferred_language": {
"path": "/",
"samesite": "None",
"secure": true,
"value": "en"
}
Proposal
Whilst this is required for the normal operation of GitLab, we can allow self-managed users to opt-out via an ops feature flag. When toggled on, this flag will remove the language switcher and prevent the setting of the preferred language cookie.
Edited by Sam Beckham