516370 - Firefox 3.5 always sets cookies on https Websites as "Encrypted connections only"

Status: RESOLVED INVALID

(Firefox :: Security, defect)

Description

[christophe_waber]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.3) Gecko/20090824 (CK-SwissPost) Firefox/3.5.3 (.NET CLR 3.5.30729) SwissPost/4.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.3) Gecko/20090824 (CK-SwissPost) Firefox/3.5.3 (.NET CLR 3.5.30729) SwissPost/4.0

When I'm on a https page and the page ssets a normal Cookie "for any type of sessions"

see the corresponding "Live http headers" order from the website :
"Set-Cookie: language=de; Domain=.post.ch; Max-Age=31449600; Path="/"; Version=1; HttpOnly"

Firefox 3.5 sets a secure cookie (Firefox 3.0.7 didn't, it wrote a normal "for any type of session" cookie)

Reproducible: Always

Steps to Reproduce:
1. clear cash + cookies
2. navigate to a https page who sets a "non secure" cookie (I can't give the example because it needs a password)
3. 
Actual Results:  
Look in the cookies : it's "secure" i.e. for "encrypted connections only"

(I've had a look on it with the add-on "Live http headers" where I can see that the page sends the request right)

Expected Results:  
The cookie should be written like with Firefox 3.0.7 : "for any type of session" and not only for "Encrypted".

Comment 1

[Daniel Veditz [:dveditz]]

This "worksforme". 
  1. clear cookies
  2. go to https://addons.mozilla.org/
  3. check cookies -- none of them are "secure" cookies

(if you log in to addons.mozilla.org you'll get a secure-only session coookie, but just that one)

You obviously don't have a "stock" Firefox, you've got at least some "SwissPost/4.0" thing. Could this be one of your addons trying to be helpful?

Comment 2

[christophe_waber]

You are right, thank you.

The problem effectively comes from swisspost 4.0. But it works well on your example. So I think it is an internally Problem