mdn / sprints

Archived: MDN Web Docs issues are tracked in the content repository.
https://github.com/mdn/content
Creative Commons Zero v1.0 Universal
150 stars 142 forks source link

Can use cookie functionality on insecure http://localhost, while secure tag is used. #3470

Closed DZ84 closed 4 years ago

DZ84 commented 4 years ago

Summary Can use cookies with secure tag on http://localhost.

documentation clearly states this shouldn't be possible. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies Chrome does block this behavior.

Checking Firefox secure/info icon next to url recognises that connection is not secure.

Seems I'm not the first one: https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost/

Steps To Reproduce (STR)

  1. set secure tag in cookie
  2. test it in localhost

Actual behavior Trying to add/test secure tag for cookies used for authentication and session management.

Expected behavior Cookies should not be accepted, user could not login and use other functionality related to cookies with secure tag.

Additional context Manjaro, Firefox 78.0.1-0

peterbe commented 4 years ago

It sounds like MDN and Chrome are in agreement. But Firefox is not.

peterbe commented 4 years ago

Sorry. That was a premature press on the "Close and comment" button.

Either way, it's not a bug in MDN (mdn/kuma is the CMS for the developer.mozilla.org website).

If you believe this is a bug in Firefox; we would greatly appreciate you file a descriptive bug on https://bugzilla.mozilla.org/enter_bug.cgi?product=Firefox And if you find out that it's actually correctly implemented in the browsers but that https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies is worded incorrectly, then we can easily re-open this issue and triage it as a content problem.

DZ84 commented 4 years ago

Ok thank you. Looking through the bugzilla site I found this behavior is as intended: https://bugzilla.mozilla.org/show_bug.cgi?id=1648993

This would then be a content problem. When looking at the cookies link you provided it seems the sentence:

"A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP, and therefore can't easily be accessed by a man-in-the-middle attacker."

should be modified to something like this:

"A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost), and therefore can't easily be accessed by a man-in-the-middle attacker."

Also on this link: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie the Note for the Secure tag could be modified to something like this:

Note: Insecure sites (http:) can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75).

DZ84 commented 4 years ago

A bump to remind and ask: is this still under consideration?

DZ84 commented 4 years ago

I have made the adjustments via the wiki in both documents and they have been accepted.

sideshowbarker commented 4 years ago

@DZ84 Thanks — I post-reviewed your changes at:

…and it all looks great

DZ84 commented 4 years ago

ahaa, thanks!