#muheeb_unexpected

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1263396442387648545

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

hello! I don't understand, are you saying that when integrating js.stripe.com, this is causing the attribute httponly to be false?

yes correct httponly is false when integrate js.stripe.com in my application you can see in screenshot i am adding i need mae it httponly with true how i can do it

Why do you need this attribute to be true?

as it required for the application we implemented because every request shoud be use only httponly not by other source

I am not 100% sure of internal workings, but these cookies might need to be accessed by Stripe.js, that's why this parameter is not set.

so there is any way or code snippet to change hhtponly with true for stripe.js

No, since Stripe.js won't be able to work correctly then

ok,so we can't change it right? by code or anyotherway?

No, unfortunately, it has to stay this way.

ok, thanks , i have one more question

Sure

there is _stripe_sid and _stripe_mid that is also having attribute httponly false what we can do it to disappear or making true flag by code or other way?

Hm, I am not sure how these are set on your own domain. Let me check...

ok please check

I see these cookies are set when you load the Payment Element.
There's no Stripe.js API or even JavaScript API that would allow you to modify the httponly attribute of cookies, unfortunately.
The only way I see it is you will need to make an exception in your app to support it.

What do you mean?

nothing giving only screenshot integrated strip.js

Have you seen my earlier reply?

yes this one i got your point there no any stripe.js API or JavaScript API to modify attribute

we can make exception for it

can you suggest me code snippet for that exception please?

No, since I don't know what enforces this requirement in your application.

Normally, it shouldn't be a problem.

👋 taking over for my colleague. Let me know if there's any follow-up Qs I can answer!

Hi tarzan..!

as disscussed with vanya saying that there is no API (stripe.js and JavaScript) to modify httponly attribute as mentioned shared screen, so what is the solution for that?

@smoky flare please refer this attachment..!

what are you trying to achieve?

at my domain there is stripe cookies that is httponly attribute with false is available here i want to achieve to make it httponly with true. how i can do it?

these are from stripe.com

@smoky flare how i can achieve to set httponly attribute to true flag

??

you didn't answer my question

I need to understand what is the underlying ask and not just talk about implementation in order to be able to help you

there is no question regarding followup..!

not sure I understand what you mean by that

@tarzan are you availble to support me regarding my question of Stripe.js?

@opal torrent would you mind answering my question so I could help you?

yes tell me your question ?

what are you trying to achieve?

basically why do you need the httponly

i am not trying anything, but httponly is secure we are not able to acces by other source like Javascript or other so, that shloud be true for my domain where integrated Stripe

httponly=false means there is insecure cookie

my client is asking to make it secure

unfortunately that's not something you can achieve

httponly doesn't mean that a cookie is not secure

you have 2 different attributes Secure and Httponly

so if httponly=false means we can't acces stripe cookies..?

and yes httponly means that the cookie is accessible on the frontend

but that doesn't mean the cookie isn't secure

you mean to say its secure right ? whether it is httponly =true or false we consider Secure attribute if that is Strict or Lax?

please read this https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#:~:text=A cookie with,XSS)%20attacks.

you're right that it's better to have httponly

but by design we have some cookies that need to be accessible by javascript

so that's why we don't use httponly

ok thank you.

so, for me there is no any criteria to make it httponly with true of Stripe Cookies?

no sorry