should we AUS send the aus cookie as HttpOnly? see bug #178993 (we have HttpOnly support on trunk, but we're seeking backport to 1.8 branch) see also bug #383181
Why? What are you trying to protect against? It's not like our users are logging in to AUS. Now Bugzilla and AMO cookies are another matter entirely. HTTPOnly would have some real value there.
You need to log in before you can comment on or make changes to this bug.