Fixes #3640: All cookies are not httpOnly by default in order to increase overall security

docs/guide/security-passwords.md

@@ -132,7 +132,7 @@ Securing Cookies
 ----------------
 
 - validation
-- httpOnly
+- httpOnly is default
 
 See also
 --------

framework/CHANGELOG.md

@@ -95,6 +95,7 @@ Yii Framework 2 Change Log
 - Chg #3383: Added `$type` parameter to `IdentityInterface::findIdentityByAccessToken()` (qiangxue)
 - Chg #3531: \yii\grid\GridView now allows any character (except ":") in the attribute part of the shorthand syntax for columns (rawtaz)
 - Chg #3544: Added `$key` as a parameter to the callable specified via `yii\grid\DataColumn::value` (mdmunir)
+- Chg #3640: All cookies are not httpOnly by default in order to increase overall security (samdark)
 - Chg #3687: Default `sourceLanguage` and `language` are now `en-US` in order for i18n formatter to work correctly (samdark)
 - Chg: Replaced `clearAll()` and `clearAllAssignments()` in `yii\rbac\ManagerInterface` with `removeAll()`, `removeAllRoles()`, `removeAllPermissions()`, `removeAllRules()` and `removeAllAssignments()` (qiangxue)
 - Chg: Added `$user` as the first parameter of `yii\rbac\Rule::execute()` (qiangxue)

framework/web/Cookie.php

@@ -45,7 +45,7 @@ class Cookie extends \yii\base\Object
      * By setting this property to true, the cookie will not be accessible by scripting languages,
      * such as JavaScript, which can effectively help to reduce identity theft through XSS attacks.
      */
-    public $httpOnly = false;
+    public $httpOnly = true;
 
     /**
      * Magic method to turn a cookie object into a string without having to explicitly access [[value]].