Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
cookies: leave secure cookies alone (draft-ietf-httpbis-cookie-alone-01) #2956
Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265.
This is an old patch I dusted off which I wouldn't mind eyes on.
Update: this used to be marked WIP as it lacked the required tests. These have now been added and the PR title is updated to reflect this.
2 times, most recently
Nov 19, 2018
Regarding the replacement policy for when a non-secure cookie is allowed to replace a secure cookie, the document states this for path comparisons:
This leaves some room for implementation details IMHO. I have interpreted it in the most conservative way. The code implementing this could definitely need a set of eyes to ensure it's sane.