You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Despite this, a previous attempt to address this problem through pull request #281 was made and subsequently closed. We need to reassess the decision to close the pull request and carefully consider the security implications of allowing cookies to be sent via HTTP in this scenario.
The text was updated successfully, but these errors were encountered:
To be clear, the contributor of #281 self-closed their own pull request. No formal decision was made by the maintainers of this project regarding the validity of that PR 😅
While nothing in RFC6265 explicitly states that there should be an exception for localhost and the Secure attribute, there is some text around secure channels in section 4.1.2.5
The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent)
This is an area where I think tough-cookie would benefit from having a better internal representation of a User Agent or User Agent Policy to assist in either determining or configuring how the library behaves in cases like this.
Can you give some more details around your use case @ertl?
@colincasey Thank you for your response and for clarifying the status of the previous pull request.
You're right to point out that RFC6265 doesn't explicitly mention any exceptions for localhost and the Secure attribute. However, the text around secure channels in section 4.1.2.5 does leave room for interpretation regarding what constitutes a "secure" channel.
Our scenario includes an additional proxy app running on localhost. We believe that accessing the proxy via HTTPS is not practical because the connection through localhost is inherently secure due to its local nature, which limits external access and reduces the risk of interception or tampering.
According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies it is fine to send cookies via http even when the flag
secure
is set, as long as the receiving host is localhost.Despite this, a previous attempt to address this problem through pull request #281 was made and subsequently closed. We need to reassess the decision to close the pull request and carefully consider the security implications of allowing cookies to be sent via HTTP in this scenario.
The text was updated successfully, but these errors were encountered: