Bug 231035

Calling document.cookie to set a secure cookie does not work using Safari from any http://localhost/ connection. The local website must be hosted with HTTPS for the cookie to be set with the secure flag. While I recognize this is appropriate behavior for production websites other browsers have an exception to allow setting cookies with the secure flag through an unsecured HTTP as long as its localhost - which is useful for testing purposes. Reproducing this issue is very straightforward - simply making a call like: document.cookie = 'unsecureCookie = unsecureValue' document.cookie = 'secureCookie = secureValue; secure'; Will demonstrate this behavior. Serving this up at http://localhost/ you'll see the unsecure cookie is written but if you serve it up through https://localhost/ then both cookies will be written. Based on public documentation about this flag - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies - both cookies should be set in the localhost case only irrespective of whether the site is provided through HTTP or HTTPS.