Opened 8 years ago

Closed 7 years ago

#7492 closed defect (fixed)

[CHROME] Do not flag cookies from HTTP origins as "secure"

Reported by: pde Owned by: mikeperry
Priority: Very High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: dtauerbach Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The equivalent of bug #7491 also exists in Chrome.

Child Tickets

Change History (3)

comment:1 Changed 7 years ago by pde

Cc: dtauerbach added

I spent a couple of hours today on this. Work in progress is in this branch.

But I'm really perplexed by what's been going on in background.js in onBeforeSendHeaders and onHeadersReceived. onHeadersReceived makes sense to me; it looks like a straightforward test to see whether a newly set cookie
should be secured, modulo the apparent bug that it didn't check whether the protocol was HTTPS before securing the cookie.

onBeforeSendHeaders looks is weirder. If I had to interpret what it does, it looks like a reimplementation of the idea of secure cookies at all: ie, figure out if you want a cookie to be secure and if you do, delete it from outgoing HTTP (non-S) requests. Git blame tells me that it's Aaron's fault, though I'm not sure if he was just committing something Mike had written. Are we in the business of reimplementing the secure cookie flag because of a race condition? Or for some other reason?

comment:2 Changed 7 years ago by pde

Status: newneeds_review

Okay, I think I might have gotten this right now. Rebased into this commit. Mike / Dan, can either of you review this before we try shipping it?

comment:3 Changed 7 years ago by pde

Resolution: fixed
Status: needs_reviewclosed

Well, it shipped, and we had "review" from the Chrome userbase.

Note: See TracTickets for help on using tickets.