Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure Cookie flag #2320

Open
lieryan opened this issue Feb 25, 2016 · 9 comments
Open

Secure Cookie flag #2320

lieryan opened this issue Feb 25, 2016 · 9 comments

Comments

@lieryan
Copy link

@lieryan lieryan commented Feb 25, 2016

Secure flag for Cookie marks when a Cookie can only be sent over HTTPS connection.

Related to #1415,

@cvrebert
Copy link
Contributor

@cvrebert cvrebert commented Oct 3, 2016

+1

@ElleshaHackett
Copy link
Contributor

@ElleshaHackett ElleshaHackett commented Apr 20, 2017

+1 (and in the security category)

@ElleshaHackett
Copy link
Contributor

@ElleshaHackett ElleshaHackett commented Apr 20, 2017

@long76
Copy link

@long76 long76 commented Aug 9, 2018

+1

@GPHemsley
Copy link

@GPHemsley GPHemsley commented Jan 16, 2022

Is this distinct from HttpOnly (#1415) and cookie prefixes (#4311)?

If not, I believe these are now covered by MDN data:
https://caniuse.com/mdn-http_headers_set-cookie_httponly
https://caniuse.com/mdn-http_headers_set-cookie_cookie_prefixes

@cvrebert
Copy link
Contributor

@cvrebert cvrebert commented Jan 18, 2022

It appears to be distinct. A cookie prefix can impose a requirement that the cookie also have the Secure flag. So optimal security might involve using both together, but even then, the MDN example for prefixes shows the server also setting the Secure flag explicitly.

HttpOnly would be more intuitively termed NotReadableFromJavaScript, so there's no relation to Secure (i.e. HTTPS-only).

@GPHemsley
Copy link

@GPHemsley GPHemsley commented Jan 19, 2022

It appears to be distinct. A cookie prefix can impose a requirement that the cookie also have the Secure flag.

Oh, yes, of course:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
https://httpwg.org/specs/rfc6265.html#rfc.section.4.1.2.5

Is this covered by "Secure context required" and/or "schemeful"?
https://caniuse.com/mdn-http_headers_set-cookie_samesite_secure_context_required
https://caniuse.com/mdn-http_headers_set-cookie_samesite_schemeful

@cvrebert
Copy link
Contributor

@cvrebert cvrebert commented Jan 19, 2022

I'm not sure keyword-searching unaccompanied by research is an optimal method for correlating features to MDN data...

Presumably "secure context" refers to https://w3c.github.io/webappsec-secure-contexts/ , which is in large part about framing and workers, not just HTTPS; so I'm skeptical of any relation to cookies. But it's also unclear WTF that MDN datum is about.

@GPHemsley
Copy link

@GPHemsley GPHemsley commented Jan 19, 2022

But it's also unclear WTF that MDN datum is about.

That's precisely why I was asking. I was trying to correlate available compat data with the topics covered on the MDN documentation page.

A lot has changed in the realm of security since Set-Cookie was introduced and, indeed, since this issue was filed. I am merely trying to identify whether the use and support of Secure has been superseded or subsumed by another concept (such as SameSite).

FWIW, "secure context required" was added in mdn/browser-compat-data#5426 and "schemeful" was added in mdn/browser-compat-data#9352.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants