As of just now, I've switched the cookies that the Perlmonks domains set to have the HTTPOnly attribute. This means that the most trivial XSS attack won't be able to steal cookies from here, as the browser will not make the cookie available to Javascript code.
This should be testable locally by pasting the following text into your browser Javascript console while on a Perlmonks domain:
javascript:alert(document.cookies);
If the userpass cookie still shows up there, you might need to log out and log in again.
I believe this will have no ill side-effects.
If you have a genuine use-case for giving Javascript access to the site cookie, please speak up so we can discuss a work-around.
Back to
Perl Monks Discussion