- From: bvandersloot-mozilla <notifications@github.com>
- Date: Mon, 10 Mar 2025 11:48:52 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 10 March 2025 18:48:55 UTC
@bvandersloot-mozilla commented on this pull request. > @@ -3292,6 +3324,72 @@ through TLS using ALPN. The protocol cannot be spoofed through HTTP requests in <h2 id=http-extensions>HTTP extensions</h2> +<h3 id=cookie-header>`<code>Cookie</code>` header</h3> + +<p>The `<dfn export http-header id=http-cookie><code>Cookie</code></dfn>` +request <a for=/>header</a> allows the request to carry locally stored state, such as user credentials. + +<div algorithm> +<p>To <dfn id=append-a-request-cookie-header>append a request `<code>Cookie</code>` header</dfn>, +given a <a for=/>request</a> <var>request</var>, run these steps: + <ol> + <li><p>Let |sameSite| be the result of [=determining the same-site mode=] for <var>request</var>. + <li><p>Let |isSecure| be false. + <li><p>If <var>request</var>'s <a for=request>client</a> is a <a>secure context</a>, then set |isSecure| to true. I just tested on Chrome, Safari, and Firefox. Chrome and Firefox allow write-then-read of `Secure` attribute having cookies on localhost. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1807#discussion_r1987843252 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1807/review/2671910222@github.com>
Received on Monday, 10 March 2025 18:48:55 UTC