New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure Flag cannot be set for unproxied localhost #837
Comments
I have never heard of being able to set Secure attribute and it work if your site is http://localhost (no https). Is that Firefox-specific (those are Firefox docs) or does that work in other web browsers? Is it part of the HTTP session spec somewhere? |
Ok, I did a bit of digging and looks like this is a relatively recent change in the web browsers. Firefox implemented this first, and then Chrome I think added it earlier this year. They state that the cookie spec leaves the definition for a secure context up to the user agent (them), not specifically the scheme. Originally this bit if code was added in order to adhere to the cookie spec security guide for the server to not send secure cookies over a non secure context when possible. But with the recent change in interpretation of the spec by the web browsers, it is not realistic to understand what they consider secure contexts. I will see what the http specs are saying these days regarding servers sending secure cookies over non secure contexts and if that is a worry or not still. |
I think what browser generally recognized is that TLS on localhost doesn't really add any security (since no public CA will ever issue a cert for localhost anyhow). It'd be fine to disable the check using a flag and keep it enabled by default if you still have concerns about this. I think accessing apps via localhost is usually a development-only activity, but it'd allow me to test '__Host-' header/CORS locally. |
I mean, if you just wanted a flag, there already is one: this modulr simply honors the I would say if all you want is to add a flag, that shouldn't be necessary; just have |
I tried doing that, actually. It failed because secure is read-only ( I am also somewhat hesitant because some other middleware might try to use secure to decide whether a redirect-url should be |
Yes, you have to use |
This comment was marked as spam.
This comment was marked as spam.
Looks like Chromium and Firefox both allow usage of secure cookies on localhost:
While Safari still does not and looks to be considered a bug: |
Only required until expressjs/session#837 is fixed
Browsers consider localhost to be a secure origin (i.e. see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies).
express-session does not. This means for my local configuration, I need to disable the Secure flag, which has other repercussions:
__Host-sid
and need to make a special-case development exceptionI understand that this is the result of express-session trying to be smart and trying to prevent sending cookies over insecure connections.
The code causing this is in index.js:
I don't think that issecure can reliably detect if the connection attempt is secure or not for the localhost case.
I see two possible solutions:
issecure
check and unconditionally set the cookie (this is what I actually want, because otherwise it just silently fails)localhost
as a heuristic, this (should?) remain unchanged through proxies tooThe text was updated successfully, but these errors were encountered: