[Webkit-unassigned] [Bug 231035] New: Unable to Set Cookie with Secure on Localhost without HTTPS
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 30 12:29:07 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=231035
Bug ID: 231035
Summary: Unable to Set Cookie with Secure on Localhost without
HTTPS
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: macOS 10.14
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: kevin.flanagan at passage.id
Calling document.cookie to set a secure cookie does not work using Safari from any http://localhost/ connection. The local website must be hosted with HTTPS for the cookie to be set with the secure flag.
While I recognize this is appropriate behavior for production websites other browsers have an exception to allow setting cookies with the secure flag through an unsecured HTTP as long as its localhost - which is useful for testing purposes.
Reproducing this issue is very straightforward - simply making a call like:
document.cookie = 'unsecureCookie = unsecureValue'
document.cookie = 'secureCookie = secureValue; secure';
Will demonstrate this behavior. Serving this up at http://localhost/ you'll see the unsecure cookie is written but if you serve it up through https://localhost/ then both cookies will be written.
Based on public documentation about this flag - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies - both cookies should be set in the localhost case only irrespective of whether the site is provided through HTTP or HTTPS.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210930/39a5e83b/attachment.htm>
More information about the webkit-unassigned
mailing list