[whatwg/fetch] Secure cookies should be permitted on secure requests, not just where there is a `https` scheme (Issue #1827) from bvandersloot-mozilla on 2025-05-19 (public-webapps-github@w3.org from May 2025)

From: bvandersloot-mozilla <notifications@github.com>
Date: Mon, 19 May 2025 05:45:28 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1827@github.com>

bvandersloot-mozilla created an issue (whatwg/fetch#1827)

### What is the issue with the Fetch Standard?

Secure contexts are defined to allow things where the web platform wants to ensure there isn't a network attacker. There is no corresponding definition for URLs, so we just match on the scheme for Secure cookies. In the interest of letting localhost be localhost, we should probably permit Secure attributed cookies when host="localhost". We could even extend this to include DNS resolution to loopback addresses or IP addreses that are routed to not leave the device.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1827
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1827@github.com>

Received on Monday, 19 May 2025 12:45:32 UTC