Incorrect use of setResponseHeader for cookie
In the file HTTPS.js, HTTPS Everywhere is attempting to make some cookies secure. In particular:
try {
var cookies = req.getResponseHeader("Set-Cookie");
} catch(mayHappen) {
//this.log(VERB,"Exception hunting Set-Cookie in headers: " + mayHappen);
return;
}
if (!cookies) return;
var c;
for each (var cs in cookies.split("\n")) {
this.log(DBUG, "Examining cookie: ");
c = new Cookie(cs, host);
if (!c.secure && HTTPSRules.shouldSecureCookie(alist, c)) {
this.log(INFO, "Securing cookie: " + c.domain + " " + c.name);
c.secure = true;
req.setResponseHeader("Set-Cookie", c.source + ";Secure", true);
}
}
While according to the docs, true should merge cookies, what actually is happening inside of Firefox is really undetermined (we're seeing problems in our addon because of it).
What you should be doing is:
req.setResponseHeader("Set-Cookie", c.source + ";Secure", false);
The goal with this code is to replace the non secure cookie with a secure cookie. It is not to merge it with the other cookie.
Trac:
Username: mkaply