Secure cookies not being sent over localhost

[Tom-Dann]

Brief summary

When calling a service on localhost, if cookies are set with Secure: true they are not sent in following requests if the connection is over HTTP.

As per documentation secure cookies should only be sent over HTTPS except in the case of requests on localhost. See Set-Cookie header documentation.

k6 version

0.47.0

OS

macOS 13

Docker version and image (if applicable)

No response

Steps to reproduce the problem

Run the following k6 script, which sets two cookies on http://localhost, one with the secure flag set to false and the other to true

import http from 'k6/http'

export default function () {
  const jar = http.cookieJar()
  const url = 'http://localhost'
  jar.set(url, 'insecure_cookie', 'val1', { secure: false })
  jar.set(url, 'secure_cookie', 'val2', { secure: true })
  console.log(jar.cookiesForURL(url))
}

Expected behaviour

As per Set-Cookie documentation k6 should output both cookies to the console

{"insecure_cookie":["val1"],"secure_cookie":["val2"]}

Actual behaviour

The actual output to console is only the cookie without the secure flag set to true

{"insecure_cookie":["val1"]}

[Tom-Dann]

Looking at the k6 code this behaviour comes from the underlying net/http/cookiejar Go implementation.

Related issue: golang/go#60997