[Webkit-unassigned] [Bug 201051] New: Safari doesn't Leave Secure Cookies Alone
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 22 13:58:57 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=201051
Bug ID: 201051
Summary: Safari doesn't Leave Secure Cookies Alone
Product: WebKit
Version: Safari 12
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: chlily at chromium.org
https://tools.ietf.org/html/draft-west-leave-secure-cookies-alone-05 says that if we have a pre-existing cookie set over HTTPS that indicates Secure, and we get another cookie of the same name over HTTP, the original Secure cookie should be left alone and the new cookie should not be set.
Repro (Safari 12.1.2):
1. Open http://example.com and https://example.com
2. On the https site, run document.cookie="asdf=foo;secure"
3. On the http site, run document.cookie="asdf=bar"
4. The document.cookie will contain asdf=bar.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190822/430b259f/attachment.html>
More information about the webkit-unassigned
mailing list