Can use cookie functionality on insecure http://localhost, while secure tag is used.

[DZ84]

Summary
Can use cookies with secure tag on http://localhost.

documentation clearly states this shouldn't be possible.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
Chrome does block this behavior.

Checking Firefox secure/info icon next to url recognises that connection is not secure.

Seems I'm not the first one:
https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost/

Steps To Reproduce (STR)

1. set secure tag in cookie
2. test it in localhost

Actual behavior
Trying to add/test secure tag for cookies used for authentication and session management.

Expected behavior
Cookies should not be accepted, user could not login and use other functionality related to cookies with secure tag.

Additional context
Manjaro, Firefox 78.0.1-0

[peterbe]

It sounds like MDN and Chrome are in agreement. But Firefox is not.

[peterbe]

Sorry. That was a premature press on the "Close and comment" button.

Either way, it's not a bug in MDN (mdn/kuma is the CMS for the developer.mozilla.org website).

If you believe this is a bug in Firefox; we would greatly appreciate you file a descriptive bug on https://bugzilla.mozilla.org/enter_bug.cgi?product=Firefox
And if you find out that it's actually correctly implemented in the browsers but that https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies is worded incorrectly, then we can easily re-open this issue and triage it as a content problem.

[DZ84]

Ok thank you. Looking through the bugzilla site I found this behavior is as intended: https://bugzilla.mozilla.org/show_bug.cgi?id=1648993

This would then be a content problem. When looking at the cookies link you provided it seems the sentence:

"A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP, and therefore can't easily be accessed by a man-in-the-middle attacker."

should be modified to something like this:

"A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost), and therefore can't easily be accessed by a man-in-the-middle attacker."

Also on this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
the Note for the Secure tag could be modified to something like this:

Note: Insecure sites (http:) can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75).

[DZ84]

A bump to remind and ask: is this still under consideration?

[DZ84]

I have made the adjustments via the wiki in both documents and they have been accepted.

[sideshowbarker]

@DZ84 Thanks — I post-reviewed your changes at:

• https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie$compare?from=1641287&to=1645834
• https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Cookies$compare?from=1643316&to=1645833

…and it all looks great

[DZ84]

ahaa, thanks!