Invaliding Secure Cookie handling with localhost

[Oliver-Fish]

Checklist

• I've searched for similar issues.
• I'm using the latest version of HTTPie.

---

Minimal reproduction code and steps

Given the following tiny Go HTTP server

package main

import (
	"net/http"
)

func set(rw http.ResponseWriter, _ *http.Request) {
	http.SetCookie(rw, &http.Cookie{
		Name:     "session-token",
		Value:    "token here",
		Secure:   true,
		HttpOnly: false,
		SameSite: http.SameSiteNoneMode,
	})
	rw.Write(nil)
}

func get(rw http.ResponseWriter, req *http.Request) {
	cookie, err := req.Cookie("session-token")
	if err != nil {
		rw.Write(nil)
		return
	}
	rw.Write([]byte(cookie.Value))
}

func main() {
	http.HandleFunc("/set-cookie", set)
	http.HandleFunc("/get-cookie", get)

	panic(http.ListenAndServe(":8090", nil))
}

If you set the cookie to a session with the following command

http --session=./session.json GET http://localhost:8090/set-cookie

I would expect to be able to get the cookie value by the next running

http --session=./session.json GET http://localhost:8090/get-cookie

However, the cookie is unset in the second request if the Secure flag is set to true.

As per the spec;
A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol. It's never sent with unsecured HTTP (except on localhost), which means man-in-the-middle attackers can't access it easily. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies)

This appears to be mishandled in httpie, as it is not sending secure cookies when localhost is used.

Expected Behavior

Secure cookies are sent in localhost requests even if https is not in use

Actual Behavior

Secure cookies are not set

[isidentical]

Thanks for the report @Oliver-Fish, we are looking into it.