Skip to content
GitLab
Closed (moved) (moved)
Created by Peter Eckersley@pde

[FIREFOX] We sometimes flag cookies as "secure" even though they are from HTTP origins

While investigating this bug report I realised that HTTPS Everywhere will actually flag cookies as secure from within HTTP-only pages/origins. Needless to say, this can interact very badly with *.example.com target host rules!

This is something we explicitly avoid in the handleSecureCookies() path that deals with cookies set in HTTP headers.

But we have another path which I think was added to fix #3766 (moved) which does not perform the same check.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information