Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not leak HTTPS cookies to HTTP or JS #35

Merged
merged 1 commit into from
Sep 16, 2017
Merged

Conversation

alanhogan
Copy link
Owner

@alanhogan alanhogan commented Sep 16, 2017

This change does two things

  1. Prevents admins running their site on HTTPS from leaking cookies over HTTP
  2. Prevents JavaScript from being able to inspect the cookie value

We should encourage people to change their passwords after this (hopefully alongside fixes for #33, #34)

@alanhogan alanhogan merged commit 215a166 into master Sep 16, 2017
@alanhogan alanhogan deleted the ajh/secure-cookies branch September 16, 2017 05:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant