This line of attack makes sense and it would appear that Nova is vulnerable here. What's not clear to me is where the fix actually takes place. Nova doesn't set the cookie here, it seems like this might fall into Horizons domain. And if Nova is not setting the cookie, then does it still need to be aware of whether or not it is behind TLS?
Though it seems like if would be good for Nova to have that option, regardless.
This line of attack makes sense and it would appear that Nova is vulnerable here. What's not clear to me is where the fix actually takes place. Nova doesn't set the cookie here, it seems like this might fall into Horizons domain. And if Nova is not setting the cookie, then does it still need to be aware of whether or not it is behind TLS?
Though it seems like if would be good for Nova to have that option, regardless.