In that case, even that shared cookie should likely be HttpOnly anyway.
I'm not quite following why anyone would really oppose such a change here —
Rails needs to maintain a strong secure-by-default stance, and every case where
developers have to opt-in to security is a case where many
I have the same question with https://github.com/rails/rails/issues/13920...
--
Sergio Campamá
sergiocamp...@gmail.com
On Tue, May 27, 2014 at 2:29 PM, Rodrigo Rosenfeld Rosas
rr.ro...@gmail.com wrote:
Hello,
a while ago I created this issue on GitHub:
We just need to confirm it is still an issue, so if you comment there we
will review the issue again and remove the stale label. Both issues are
marked properly.
Rafael Mendonça França
http://twitter.com/rafaelfranca
https://github.com/rafaelfranca
On Tue, May 27, 2014 at 3:29 PM, Rodrigo