Secure; Flag should be ignored when sending to 'localhost' #382
Comments
|
To be clear, the contributor of #281 self-closed their own pull request. No formal decision was made by the maintainers of this project regarding the validity of that PR 😅 While nothing in RFC6265 explicitly states that there should be an exception for
This is an area where I think Can you give some more details around your use case @ertl? |
|
@colincasey Thank you for your response and for clarifying the status of the previous pull request. You're right to point out that RFC6265 doesn't explicitly mention any exceptions for localhost and the Secure attribute. However, the text around secure channels in section 4.1.2.5 does leave room for interpretation regarding what constitutes a "secure" channel. Our scenario includes an additional proxy app running on localhost. We believe that accessing the proxy via HTTPS is not practical because the connection through localhost is inherently secure due to its local nature, which limits external access and reduces the risk of interception or tampering. |
|
@ertl that makes sense. We'd be open to a PR here if that's something you wanted to attempt. Otherwise, this will go in our list of v6 project goals. |
According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies it is fine to send cookies via http even when the flag
secureis set, as long as the receiving host is localhost.Despite this, a previous attempt to address this problem through pull request #281 was made and subsequently closed. We need to reassess the decision to close the pull request and carefully consider the security implications of allowing cookies to be sent via HTTP in this scenario.
The text was updated successfully, but these errors were encountered: