Summary
The synthetic_id cookie is set with Secure; SameSite=Lax but no HttpOnly. Any XSS on the publisher's page can exfiltrate this tracking identifier via document.cookie.
Refs
crates/common/src/cookies.rs lines 67-72 — create_synthetic_cookie format string
Recommendation
Add HttpOnly if client-side JS doesn't need to read this cookie directly (it already gets the value via the x-synthetic-id header).
Context
Production readiness audit — see #396
Summary
The
synthetic_idcookie is set withSecure; SameSite=Laxbut noHttpOnly. Any XSS on the publisher's page can exfiltrate this tracking identifier viadocument.cookie.Refs
crates/common/src/cookies.rslines 67-72 —create_synthetic_cookieformat stringRecommendation
Add
HttpOnlyif client-side JS doesn't need to read this cookie directly (it already gets the value via thex-synthetic-idheader).Context
Production readiness audit — see #396