Enable $wgCookieHttpOnly by default on PHP 5.2 or later.

Version checks are still duplicated areound stcookie so that manually enabling it at least won't *break cookies entirely* on an old PHP version.

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 57b5bf9..de89f28 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -1494,10 +1494,13 @@ $wgCookieSecure = ($wgProto == 'https');
 $wgDisableCookieCheck = false;
 
 /**
- * Set authentication cookies to httpOnly to prevent stealing by JS, in brow-
- * sers that support this feature.
+ * Set authentication cookies to HttpOnly to prevent access by JavaScript,
+ * in browsers that support this feature. This can mitigates some classes of
+ * XSS attack.
+ *
+ * Only supported on PHP 5.2 or higher.
  */
-$wgCookieHttpOnly = false;
+$wgCookieHttpOnly = version_compare("5.2", PHP_VERSION, "<");
 
 /** A list of cookies that vary the cache (for use by extensions) */
 $wgCacheVaryCookies = array();