Opened 6 weeks ago
#62949 new enhancement
HttpOnly flag for the post password cookie
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 1.5 |
| Component: | Security | Keywords: | 2nd-opinion |
| Focuses: | Cc: |
Description
This is a follow-up to #61322.
Setting the HttpOnly flag on the post password cookie would help prevent an XSS vulnerability from exposing its value. The risk of setting this flag is that there may be client-side functionality in use that depends on this value being accessible to JavaScript.
Let's assess if there are any popular plugins, themes, or front-end frameworks that make use of the post password cookie in JavaScript.
Note: See
TracTickets for help on using
tickets.