Calling document.cookie to set a secure cookie does not work using Safari from any http://localhost/ connection. The local website must be hosted with HTTPS for the cookie to be set with the secure flag. While I recognize this is appropriate behavior for production websites other browsers have an exception to allow setting cookies with the secure flag through an unsecured HTTP as long as its localhost - which is useful for testing purposes. Reproducing this issue is very straightforward - simply making a call like: document.cookie = 'unsecureCookie = unsecureValue' document.cookie = 'secureCookie = secureValue; secure'; Will demonstrate this behavior. Serving this up at http://localhost/ you'll see the unsecure cookie is written but if you serve it up through https://localhost/ then both cookies will be written. Based on public documentation about this flag - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies - both cookies should be set in the localhost case only irrespective of whether the site is provided through HTTP or HTTPS.
This is really just another case of us treating localhost as an insecure context. *** This bug has been marked as a duplicate of bug 218980 ***