[wp-trac] [WordPress Trac] #62949: HttpOnly flag for the post password cookie
WordPress Trac
noreply at wordpress.org
Wed Feb 12 11:40:49 UTC 2025
#62949: HttpOnly flag for the post password cookie
-------------------------+-----------------------------
Reporter: johnbillion | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 1.5
Severity: normal | Keywords: 2nd-opinion
Focuses: |
-------------------------+-----------------------------
This is a follow-up to #61322.
Setting the `HttpOnly` flag on the post password cookie would help prevent
an XSS vulnerability from exposing its value. The risk of setting this
flag is that there may be client-side functionality in use that depends on
this value being accessible to JavaScript.
Let's assess if there are any popular plugins, themes, or front-end
frameworks that make use of the post password cookie in JavaScript.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62949>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list