"veyron/services/identity": Enable "Secure" cookies
Since our mechanism for seeking blessings from our Blessing provider
is based on OAuth2 tokens bound to cookies, it is important to
protect cookies for our Blessing provider as best as we can.
Currently, our cookies are "HttpOnly" but not "Secure", which means
that the browser may send them on clear http channels. As per
RFC 6265 (http://tools.ietf.org/html/rfc6265), it is recommended that
cookies set over an https channels have the "Secure" attribute (See
Section 8.3 and 8.6)
This CL sets the "Secure" attribute on all our cookies, and adds
a test for it.
Change-Id: Id990860c9e4b8221f8071dbe610ca523f2849d12
3 files changed
