(In reply to Henrik Skupin [:whimboo][⌚️UTC+1] from comment #3) > As such it's a bug that needs to be fixed but not security related. OK, removing the relevant group then. > The problem is actually in the implementation of [`cookie.iter()`](https://searchfox.org/mozilla-central/rev/a3a9112d4d73d1323eabbc7faa9937cd9aae6465/remote/marionette/cookie.sys.mjs#258-295) where we only pass-in the host but not the schema. As such we do not filter out secure cookies. I'm unfamiliar with webdriver, but wouldn't the expectation from users of the API be that `get_cookies` uses the context in which it is invoked to produce cookies? In particular, would the expectation be that `SameSite` cookies being returned depended on whether they were sent with the document at the time? I'd have similar questions around containers/userContextId.
Bug 1818657 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Henrik Skupin [:whimboo][⌚️UTC+1] from comment #3) > As such it's a bug that needs to be fixed but not security related. OK, removing the relevant group then. > The problem is actually in the implementation of [`cookie.iter()`](https://searchfox.org/mozilla-central/rev/a3a9112d4d73d1323eabbc7faa9937cd9aae6465/remote/marionette/cookie.sys.mjs#258-295) where we only pass-in the host but not the schema. As such we do not filter out secure cookies. I'm unfamiliar with webdriver, but wouldn't the expectation from users of the API be that `get_cookies` uses the context in which it is invoked to produce cookies? In particular, would the expectation be that `SameSite` cookies being returned depended on whether they were sent with the document at the time? I'd have similar questions around containers/userContextId, and private browsing.