Bug 231035 - Unable to Set Cookie with Secure on Localhost without HTTPS
Summary: Unable to Set Cookie with Secure on Localhost without HTTPS
Status: RESOLVED DUPLICATE of bug 218980
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified macOS 10.14
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-30 12:29 PDT by Kevin Flanagan
Modified: 2021-10-01 09:15 PDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Flanagan 2021-09-30 12:29:07 PDT 
Calling document.cookie to set a secure cookie does not work using Safari from any http://localhost/ connection. The local website must be hosted with HTTPS for the cookie to be set with the secure flag.
While I recognize this is appropriate behavior for production websites other browsers have an exception to allow setting cookies with the secure flag through an unsecured HTTP as long as its localhost - which is useful for testing purposes. 

Reproducing this issue is very straightforward - simply making a call like: 
document.cookie = 'unsecureCookie = unsecureValue'
document.cookie = 'secureCookie = secureValue; secure';

Will demonstrate this behavior. Serving this up at http://localhost/ you'll see the unsecure cookie is written but if you serve it up through https://localhost/ then both cookies will be written. 

Based on public documentation about this flag - see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies - both cookies should be set in the localhost case only irrespective of whether the site is provided through HTTP or HTTPS.
Comment 1 Sam Sneddon [:gsnedders] 2021-10-01 09:15:42 PDT 
This is really just another case of us treating localhost as an insecure context.

*** This bug has been marked as a duplicate of bug 218980 ***