I would like to see this happen, since when dealing with Enterprise Vulnerability Scans it always comes up.
On Monday, January 7, 2013 2:09:42 PM UTC-8, Stephen Touset wrote: > > Earlier, someone proposed on the GH issues tracker that Rails default all > cookies to HttpOnly[1]. Rails already makes the session cookie HttpOnly, > but given a general to keep Rails secure-by-default, it would probably be > best if *all* cookies defaulted to HttpOnly. This would be a > compatibility-breaking change, but it wouldn't be difficult to add a > configuration option that can be defaulted to false for existing Rails apps > that are upgraded. > > I'm more than happy to write the code for this change, but wanted to > discuss it here first to see if anyone objects strongly. Josh Peek had > concerns with backwards compatibility, but I think my proposal above for a > configuration option should satisfy them. Anyone care to weigh in? > > [1] https://github.com/rails/rails/issues/1449 > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
