Secure Cookie flag - Githubissues

Fyrd / caniuse

Raw browser/feature support data from caniuse.com

https://caniuse.com

Creative Commons Attribution 4.0 International

5.6k stars 1.38k forks source link

Secure Cookie flag #2320

Open lieryan opened 8 years ago

lieryan commented 8 years ago

Secure flag for Cookie marks when a Cookie can only be sent over HTTPS connection.

Related to #1415,

cvrebert commented 7 years ago

JaneX8 commented 7 years ago

+1 (and in the security category)

JaneX8 commented 7 years ago

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies

long76 commented 6 years ago

GPHemsley commented 2 years ago

Is this distinct from HttpOnly (#1415) and cookie prefixes (#4311)?

If not, I believe these are now covered by MDN data: https://caniuse.com/mdn-http_headers_set-cookie_httponly https://caniuse.com/mdn-http_headers_set-cookie_cookie_prefixes

cvrebert commented 2 years ago

It appears to be distinct. A cookie prefix can impose a requirement that the cookie also have the Secure flag. So optimal security might involve using both together, but even then, the MDN example for prefixes shows the server also setting the Secure flag explicitly.

HttpOnly would be more intuitively termed NotReadableFromJavaScript, so there's no relation to Secure (i.e. HTTPS-only).

GPHemsley commented 2 years ago

It appears to be distinct. A cookie prefix can impose a requirement that the cookie also have the Secure flag.

Oh, yes, of course: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie https://httpwg.org/specs/rfc6265.html#rfc.section.4.1.2.5

Is this covered by "Secure context required" and/or "schemeful"? https://caniuse.com/mdn-http_headers_set-cookie_samesite_secure_context_required https://caniuse.com/mdn-http_headers_set-cookie_samesite_schemeful

cvrebert commented 2 years ago

I'm not sure keyword-searching unaccompanied by research is an optimal method for correlating features to MDN data...

Presumably "secure context" refers to https://w3c.github.io/webappsec-secure-contexts/ , which is in large part about framing and workers, not just HTTPS; so I'm skeptical of any relation to cookies. But it's also unclear WTF that MDN datum is about.

GPHemsley commented 2 years ago

But it's also unclear WTF that MDN datum is about.

That's precisely why I was asking. I was trying to correlate available compat data with the topics covered on the MDN documentation page.

A lot has changed in the realm of security since Set-Cookie was introduced and, indeed, since this issue was filed. I am merely trying to identify whether the use and support of Secure has been superseded or subsumed by another concept (such as SameSite).

FWIW, "secure context required" was added in mdn/browser-compat-data#5426 and "schemeful" was added in mdn/browser-compat-data#9352.