matthijskooijman
commented
3 years ago I came up with a better approach, see #368.
Closed matthijskooijman closed 3 years ago
matthijskooijman
commented
3 years ago I came up with a better approach, see #368.
This was only done for HTTPS-requests, but it turns out this breaks mixed HTTP/HTTPS configurations, because browser do not store a separate cookie for HTTP and HTTPS. So when you access the HTTPS version of a site, the cookie is set as secure (https only) and subsequent HTTP request will simply not get the cookie at all and cannot change the cookie into non-secure either.
So this protection can only be enabled again when we know a site is HTTPS-only, i.e. when #247 is implemented.