"WebDriver:AddCookie" should not secure cookies for insecure connections (HTTP)
Categories
(Remote Protocol :: Marionette, defect, P3)
Tracking
(Not tracked)
People
(Reporter: whimboo, Unassigned)
References
()
Details
Originally reported as: https://github.com/mozilla/geckodriver/issues/1840
Currently it is possible to set cookies with the secure flag set to true for non-secure connections (HTTP). This should be denied, and probably an error thrown.
The WebDriver spec for that isn't that clear. As such I requested a new issue for the spec so that it's clear how we have to implement it.
|
Reporter | |
Comment 1•4 years ago
|
||
As Titus noted on the Github issue there is no need to update the WebDriver spec. The relevant parts can be found here:
https://tools.ietf.org/id/draft-ietf-httpbis-rfc6265bis-05.html#storage-model
- If the scheme component of the request-uri does not denote a “secure” protocol (as defined by the user agent), and the cookie’s secure-only-flag is true, then abort these steps and ignore the cookie entirely.
|
|
Reporter | |
Comment 2•4 years ago
|
||
Actually the above is a draft... So I assume https://tools.ietf.org/html/rfc6265#section-4.1.2.5 is the right part to refer here.
|
|
Reporter | |
Comment 3•4 years ago
|
||
I filed https://github.com/w3c/webdriver/issues/1571 to get an agreement on what the right behavior would be.
|
||
Updated•2 years ago
|
Description
•