Earlier, someone proposed on the GH issues tracker that Rails default all cookies to HttpOnly. Rails already makes the session cookie HttpOnly, but given a general to keep Rails secure-by-default, it would probably be best if all cookies defaulted to HttpOnly. This would be a compatibility-breaking change, but it wouldn’t be difficult to add a configuration option that can be defaulted to false for existing Rails apps that are upgraded.
I’m more than happy to write the code for this change, but wanted to discuss it here first to see if anyone objects strongly. Josh Peek had concerns with backwards compatibility, but I think my proposal above for a configuration option should satisfy them. Anyone care to weigh in?