I don’t think I understand why we wouldn’t prevent both XSS and CSWSH when we can. I agree that it’s possible to mess up and that phoenix should have safe defaults (and it does), but why would we expose ourselves to increased XSS attack surface when we could prevent both?
Phoenix already has safe defaults for preventing CSWSH and while it’s true that a compromised script could create a websocket connection and compromise you with a very phoenix-centric attack - I think it’s much more likely that a malicious script just leaks high attack surface details such as non-http cookies, meta tags, headers, etc.
My use-case is that I would like to be able to use the cookie for both http auth and websocket auth…I can’t do that confidently if I know I’m exposing that cookie to XSS and I don’t think we have to expose it to XSS.
I think the scenario where malicious JS is copy/pasting information to a 3rd party is much more likely than a malicious script sneaking in that creates websocket connections and executes domain specific logic.
I guess tl;dr; - we already have safe defaults preventing cswsh so why wouldn’t we be encourging people to use http only cookies to decrease xss attack surface?