Bug 231035

Summary: Unable to Set Cookie with Secure on Localhost without HTTPS
Product: WebKit Reporter: Kevin Flanagan <kevin.flanagan>
Component: Page LoadingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: beidson
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: macOS 10.14   

Description Kevin Flanagan 2021-09-30 12:29:07 PDT 
Calling document.cookie to set a secure cookie does not work using Safari from any http://localhost/ connection. The local website must be hosted with HTTPS for the cookie to be set with the secure flag.
While I recognize this is appropriate behavior for production websites other browsers have an exception to allow setting cookies with the secure flag through an unsecured HTTP as long as its localhost - which is useful for testing purposes. 

Reproducing this issue is very straightforward - simply making a call like: 
document.cookie = 'unsecureCookie = unsecureValue'
document.cookie = 'secureCookie = secureValue; secure';

Will demonstrate this behavior. Serving this up at http://localhost/ you'll see the unsecure cookie is written but if you serve it up through https://localhost/ then both cookies will be written. 

Based on public documentation about this flag - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies - both cookies should be set in the localhost case only irrespective of whether the site is provided through HTTP or HTTPS.
Comment 1 Sam Sneddon [:gsnedders] 2021-10-01 09:15:42 PDT 
This is really just another case of us treating localhost as an insecure context.

*** This bug has been marked as a duplicate of bug 218980 ***