Is your proposal related to a problem?
The jwt cookie can be accessed from JavaScript.
If one was to find an XSS vulnerability in lemmy-ui it could be abused to extract the jwt cookie.
Describe the solution you'd like.
Using the HttpOnly cookie attribute would prevent JavaScript code from accessing the jwt cookie.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security
Describe alternatives you've considered.
Writing perfect code without security vulnerabilities.
Additional context
No response
Is your proposal related to a problem?
The
jwtcookie can be accessed from JavaScript.If one was to find an XSS vulnerability in lemmy-ui it could be abused to extract the
jwtcookie.Describe the solution you'd like.
Using the
HttpOnlycookie attribute would prevent JavaScript code from accessing thejwtcookie.https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security
Describe alternatives you've considered.
Writing perfect code without security vulnerabilities.
Additional context
No response