I would argue that if you have some information that can't be hijacked and even parsed on javascript (httponly cookies can't be read on javascript at all), why would you use cookies instead of the rails session?
On Friday, May 16, 2014 7:07:42 PM UTC-3, fedesoria wrote: > > I would like to see this happen, since when dealing with > Enterprise Vulnerability Scans it always comes up. > > On Monday, January 7, 2013 2:09:42 PM UTC-8, Stephen Touset wrote: >> >> Earlier, someone proposed on the GH issues tracker that Rails default all >> cookies to HttpOnly[1]. Rails already makes the session cookie HttpOnly, >> but given a general to keep Rails secure-by-default, it would probably be >> best if *all* cookies defaulted to HttpOnly. This would be a >> compatibility-breaking change, but it wouldn't be difficult to add a >> configuration option that can be defaulted to false for existing Rails apps >> that are upgraded. >> >> I'm more than happy to write the code for this change, but wanted to >> discuss it here first to see if anyone objects strongly. Josh Peek had >> concerns with backwards compatibility, but I think my proposal above for a >> configuration option should satisfy them. Anyone care to weigh in? >> >> [1] https://github.com/rails/rails/issues/1449 >> > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/d/optout.
