Aidan Woods

> I'm 👍 for two fixers, like to hear from @keradus and @julienfalque I shall await further feedback in that case – I don't really mind either way, current method...

Ah yes, I hadn't considered that the location fixer was in fact non-risky (and so would be unnecessarily marked as risky). Splitting into separate fixers makes sense to me! Will...

Fixers are split, have rebased on master. (you guys work fast here 😜 – a whole class was deprecated and started throwing notices between my commits last week and now!)

For visibility: I just rebased on current master so tests are up to date on this branch.

@TomasVotruba > Was there something that stopped you from finishing this? If I recall I think I was waiting for feedback on some code duplication i.e. whether or not to...

I'm happy to do some more work on this. It's (clearly) been a while since these changes were proposed and I'm haven't yet had a look at the current codebase...

@shakaran unfortunately I think rebasing is probably going to be non-trivial (given more than 4 years have passed since the initial PR). If anyone who currently works on the project...

Thanks :) > How would you plan the upgrade path? IMO, there should be another release in version 2 that allows an opt-in to the new default behavior. I've marked...

> Wouldnt it make sense to detect whether sessions are handled via cookies and if so add the session cookies name to the protectedCookies list? I like the idea here...

Yup, I'll take a look at doing that – cheers for the links. In-fact, if a session *isn't* cookie based, I wonder whether SecureHeaders should say something to encourage use...