Closed
Bug 1618113
Opened 4 years ago
Closed 4 years ago
Allow 'secure' cookies when set by localhost
Categories
(Core :: Networking: Cookies, task)
Core
Networking: Cookies
Tracking
()
RESOLVED
FIXED
mozilla75
Tracking | Status | |
---|---|---|
firefox75 | --- | fixed |
People
(Reporter: baku, Assigned: baku)
References
Details
Attachments
(1 file)
Localhost is considered a trusted origin in many APIs and contexts but not by our cookie service. For instance, localhost is allowed to use SecureContext-only API even if not in https.
9. If the scheme component of the request-uri does not denote a
"secure" protocol (as defined by the user agent), and the
cookie's secure-only-flag is true, then abort these steps and
ignore the cookie entirely.
By RFC6525, the definition of 'secure' protocol is defined by the user-agent. I propose to unify the implementations and use nsMixedContentBlocker::IsPotentiallyTrustworthyOrigin() instead of a simple "https" scheme check.
Assignee | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Assignee: nobody → amarchesini
Status: NEW → ASSIGNED
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c4d13b3ca1e2 Allow 'secure' cookies when set by localhost, r=Ehsan
Comment 3•4 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
You need to log in
before you can comment on or make changes to this bug.
Description
•