Cookie Secure Only Flag Handling #1840
Labels
Comments
titusfortner
added a commit
to SeleniumHQ/selenium
that referenced
this issue
Feb 4, 2021
|
Thanks @titusfortner. Would you mind to also file an issue for the WebDriver spec so that we can make it clear that setting a secure cookie should only be allowed on secure connections? |
|
I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1690739 but will wait with the implementation until the spec has been updated. |
|
Aha, it is specified in the cookies RFC
|
|
The reference cookies RFC is a draft only. So I think what we can refer here is https://tools.ietf.org/html/rfc6265#section-4.1.2.5. |
|
I filed w3c/webdriver#1571 to get an agreement. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
System
Chrome & Firefox have different behaviors for handling "secure-only-flag"
Chrome will not set the cookie with secure-only-flag on an http URL; Firefox will
The spec isn't exactly clear on this: https://w3c.github.io/webdriver/#dfn-cookie-secure-only
But the Chrome actions seem to make more sense to me.
Testcase
Here's the Selenium test that is failing, but will apply for any http URL:
https://github.com/SeleniumHQ/selenium/blob/trunk/rb/spec/integration/selenium/webdriver/manager_spec.rb#L67
Stacktrace
Here's the test result:
(cookie is set when I would expect that it not be)
https://github.com/SeleniumHQ/selenium/runs/1816108484?check_suite_focus=true#step:8:527
The text was updated successfully, but these errors were encountered: