The changeset r221017 filters helps ensure proper HTTPS behavior for mixed content by blocking secure cookie access for sites that accessed insecure content, and for blocking insecure content loads after a secure cookie is read. The cURL backend currently has a stub that only serves to let it build. It does not provide the security benefit of the change. The following updates are needed in CookieJarCurl: 1. cookiesForSession needs to be updated to: (a) accept an IncludeSecureCookies flag. (b) Return a std::pair containing the cookie string, and a boolean that indicates if secure cookies were read (didAccessSecureCookies, below). 2. addMatchingCurlCookie needs to be updated to: (a) accept an IncludeSecureCookies flag. (b) accept a boolean reference (e.g., didAccessSecureCookies) that can be set to true if the read process encountered a secure cookie. (c) At Line 121, where you read the 'strSecure' flag: (I) If 'strSecure' matches TRUE: (i) If 'IncludeSecureCookies' flag is set to NO, return. didAccessSecureCookies should be set to false. (ii) Otherwise, set didAccessSecureCookies to true and continue. (II) Otherwise, continue. I think that should do it.
*** Bug 175849 has been marked as a duplicate of this bug. ***