[Webkit-unassigned] [Bug 201051] New: Safari doesn't Leave Secure Cookies Alone

Thu Aug 22 13:58:57 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=201051

            Bug ID: 201051
           Summary: Safari doesn't Leave Secure Cookies Alone
           Product: WebKit
           Version: Safari 12
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: chlily at chromium.org

https://tools.ietf.org/html/draft-west-leave-secure-cookies-alone-05 says that if we have a pre-existing cookie set over HTTPS that indicates Secure, and we get another cookie of the same name over HTTP, the original Secure cookie should be left alone and the new cookie should not be set.

Repro (Safari 12.1.2):
1. Open http://example.com and https://example.com
2. On the https site, run document.cookie="asdf=foo;secure"
3. On the http site, run document.cookie="asdf=bar"
4. The document.cookie will contain asdf=bar.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190822/430b259f/attachment.html>