Closed Bug 1618113 Opened 4 years ago Closed 4 years ago

Allow 'secure' cookies when set by localhost

Categories

(Core :: Networking: Cookies, task)

Product:
Core
Component:
Networking: Cookies
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox75 --- fixed

People

(Reporter: baku, Assigned: baku)

References

Details

Attachments

(1 file)

Bug 1618113 - Allow 'secure' cookies when set by localhost, r?ehsan
47 bytes, text/x-phabricator-request
Details | Review

Localhost is considered a trusted origin in many APIs and contexts but not by our cookie service. For instance, localhost is allowed to use SecureContext-only API even if not in https.

 9.   If the scheme component of the request-uri does not denote a
        "secure" protocol (as defined by the user agent), and the
        cookie's secure-only-flag is true, then abort these steps and
        ignore the cookie entirely.

By RFC6525, the definition of 'secure' protocol is defined by the user-agent. I propose to unify the implementations and use nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin() instead of a simple "https" scheme check.

Assignee: nobody → amarchesini
Status: NEW → ASSIGNED
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c4d13b3ca1e2
Allow 'secure' cookies when set by localhost, r=Ehsan

https://hg.mozilla.org/mozilla-central/rev/c4d13b3ca1e2

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Regressions: 1648993
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: