SAMEORIGIN is a better compromise for a framework, since you sometimes do want to embed
things on your domain.
In Lift 3.0-SNAPSHOT, we’ve introduced
SecurityRules, which includes things like X-Frame-Options,
Strict-Transport-Security, and Content-Security-Policy.
The session cookie is typically the domain of the container, so you should be able to tweak your
jetty.xml or
web.xml (for Servlet 3.0). We could add some hack code to make sure that’s always
done… It’d go with the secure by default principle, but it would be pretty nasty IMO.
Certainly we should have our default web.xml in our starting apps include the http-only flag.
As for setting it explicitly to off, I don't believe HttpOnly should be interfering with anything;
if it does, we should attend to it ASAP. At a glance, I don't see anything accessing
document.cookie in the repo, at least in 3.0, so I don't think we care.
Thanks,
Antonio