Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
cookies: leave secure cookies alone (draft-ietf-httpbis-cookie-alone-01) #2956
Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265.
This is an old patch I dusted off which I wouldn't mind eyes on.
Update: this used to be marked WIP as it lacked the required tests. These have now been added and the PR title is updated to reflect this.
Regarding the replacement policy for when a non-secure cookie is allowed to replace a secure cookie, the document states this for path comparisons:
This leaves some room for implementation details IMHO. I have interpreted it in the most conservative way. The code implementing this could definitely need a set of eyes to ensure it's sane.