On Tue, Mar 13, 2012 at 3:38 PM, Remy Blank <[email protected]> wrote: > Philip Semanchuk wrote: >> On Tue, Mar 13, 2012 at 11:40 AM, Benjamin Lau >> <[email protected]> wrote: >>> You should probably add your voice to the ticket increasing the >>> pressure to actually get this patch included in the core as well. :-) >> >> Good advice. > > Nah, won't work ;) > > That patch actually looks pretty good, and I have had some more exposure > to HTTP-only cookies since the ticket was filed, so I think it's a good > idea. I'll apply it, probably later tonight or tomorrow. > > One thing I'm not quite sure, should the attribute be applied to all > cookies, or only to the auth cookie?
I saw the discussion in the ticket on this subject. IMHO it should apply to all. But I say that only from the principle of "don't expose more than you have to". I don't know what cookies Trac uses or how plugins might take advantage of them, so my opinion is pretty naive. > And about 0.13, you'll have to wait and see. I don't give any estimates > anymore, as I have lost all credibility on the subject anyway. Fair enough. Thanks! bye Philip -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.
