Security
- Preserve host-only cookie scope and require explicit persistence markers (GHSA-wm3w-8rrp-j577)
- Bound response cookie admission and generated
Cookieheaders (GHSA-f283-ghqc-fg79) - Exclude URI fragments from
Refererheaders generated for redirects (GHSA-h95v-h523-3mw8)