[Webkit-unassigned] [Bug 231035] New: Unable to Set Cookie with Secure on Localhost without HTTPS

Thu Sep 30 12:29:07 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=231035

            Bug ID: 231035
           Summary: Unable to Set Cookie with Secure on Localhost without
                    HTTPS
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: macOS 10.14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: kevin.flanagan at passage.id

Calling document.cookie to set a secure cookie does not work using Safari from any http://localhost/ connection. The local website must be hosted with HTTPS for the cookie to be set with the secure flag.
While I recognize this is appropriate behavior for production websites other browsers have an exception to allow setting cookies with the secure flag through an unsecured HTTP as long as its localhost - which is useful for testing purposes. 

Reproducing this issue is very straightforward - simply making a call like: 
document.cookie = 'unsecureCookie = unsecureValue'
document.cookie = 'secureCookie = secureValue; secure';

Will demonstrate this behavior. Serving this up at http://localhost/ you'll see the unsecure cookie is written but if you serve it up through https://localhost/ then both cookies will be written. 

Based on public documentation about this flag - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies - both cookies should be set in the localhost case only irrespective of whether the site is provided through HTTP or HTTPS.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210930/39a5e83b/attachment.htm>