-
By default, all frontend cookies have been set to insecure, even when HTTPS is enabled. This has tripped off some security scanners. While most of these cookies probably contain a single user preference and do not contain any personally-identifiable information, we should err on the side of caution and enable the Secure attribute if an encrypted channel is available. We now centralize all the application logic for cookie setting to the `setCookie` `getCookie` methods in `common_utils.js`. Relates to #24040 Changelog: security
9104396d
