6826e43ad7
We can't make the cookie `HttpOnly` because we're setting it from Javascript, but I'm not sure it's worth the trouble to redesign that: `JSON.parse(localStorage.account).token` gives you the token anyway, hiding the cookie from JS won't offer much protection. At least we can mark is `Secure` (meaning, only send it over HTTPS) and _delete it on logout_ (it wasn't!) |
||
---|---|---|
.. | ||
backend | ||
frontend | ||
megalodon | ||
misskey-bubble-game | ||
misskey-js | ||
misskey-reversi | ||
shared | ||
sw | ||
meta.json |