when scanning a WikiJS installation with login at the root URL, OpenVAS reports a Missing httpOnly Cookie Attribute. The details report the following:
Set-Cookie: loginRedirect=%2F; Max-Age=900; Path=/; HttpOnly; Secure; SameSite=***replaced***;; Expires=Sat, 07 Jan 2023 09:33:42 GMT
are missing the "httpOnly" attribute.
Thanks a lot for your additional research / tests.
Unfortunately RFC related topics are always quite difficult to handle because there might be software strictly following the RFC (and ignoring everything not strictly following the RFC) while other software is “more lax” on the rules or interpreting them differently.
We will do some additional checks / tests from our side to see if it is safe to make the regex less strict.
This might take some time due to other priorities but the post will be updated once this is done to include our conclusion.