pablobm left a comment (openstreetmap/openstreetmap-website#6424)
I'm reading a bit more. I think the explanation (or at least one explanation)
is that an attacker could impersonate the HTTP version of the site before the
redirection to HTTPS. Hence we can't be sure that we are setting the cookie
securely.
I think `location.protocol === 'https'` would not work as it would not protect
us from those edge cases that `secure` is supposed to be about. I'll put a
variable to signal that we are in production and use that.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6424#issuecomment-3365324659
You are receiving this because you are subscribed to this thread.
Message ID:
<openstreetmap/openstreetmap-website/pull/6424/[email protected]>
_______________________________________________
rails-dev mailing list
[email protected]
https://lists.openstreetmap.org/listinfo/rails-dev
