[openstreetmap/openstreetmap-website] WIP: devcontainer configuration (PR #6424)
Pablo Brasero
notifications at github.com
Fri Oct 3 11:23:34 UTC 2025
pablobm left a comment (openstreetmap/openstreetmap-website#6424)
I'm reading a bit more. I think the explanation (or at least one explanation) is that an attacker could impersonate the HTTP version of the site before the redirection to HTTPS. Hence we can't be sure that we are setting the cookie securely.
I think `location.protocol === 'https'` would not work as it would not protect us from those edge cases that `secure` is supposed to be about. I'll put a variable to signal that we are in production and use that.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6424#issuecomment-3365324659
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/6424/c3365324659 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20251003/5c4d2d33/attachment.htm>
More information about the rails-dev
mailing list