Commits on Apr 26, 2021

1. tests/test_cookiejar.py: add test …

   In accordance with #5571, this
   commit adds a test to ensure secure cookies are not filtered from an unsafe
   cookiejar when given an unsecured endpoint.
   
   Rationale:
   
   According to Mozilla documentation:
   > A cookie with the Secure attribute is sent to the server only with an
   > encrypted request over the HTTPS protocol, never with unsecured HTTP
   > (except on localhost), and therefore can't easily be accessed by a
   > man-in-the-middle attacker. Insecure sites (with http: in the URL) can't
   > set cookies with the Secure attribute
   
   Note the "(except on localhost)".  In addition, RFC 6265 section-4.1.2.5 states:
   
   > The Secure attribute limits the scope of the cookie to "secure"
   > channels (where "secure" is defined by the user agent). When a
   > cookie has the Secure attribute, the user agent will include the
   > cookie in an HTTP request only if the request is transmitted over a
   > secure channel (typically HTTP over Transport Layer Security (TLS)
   > [RFC2818]).
   > Although seemingly useful for protecting cookies from active network
   > attackers, the Secure attribute protects only the cookie's
   > confidentiality
   
   Note "(where "secure" is defined by the user agent)".  The behaviour
   this commit tests for is therefore an engineer's decision, not an IETF
   standard.

   

   DanielDewberry committed Apr 26, 2021
   Configuration menu

   • View commit details
   • Copy full SHA for 52f9d92
   • Browse repository at this point

   Copy the full SHA

   52f9d92 View commit details

   Browse the repository at this point in the history