I was doing some local development when I noticed this behavior of Firefox. I had a local dev server running at http://127.0.0.1:8080 (without TLS), and it responded to Firefox with a secure, host-only cookie that looks like this:
"__Host-my-session"
"127.0.0.1"
true
true
"/"
"Strict"
true
I thought because this is a secure cookie, my local non-TLS dev server shouldn't be able to read it. However, Firefox is able to send this cookie to my local dev server just fine, while Safari doesn't send it.
Is this a special case in Firefox to help with local testing or am I doing/understanding something wrong?
I have the same thing, Chrome doesn't accept it, but Firefox carries on.
Firefox even shows in its inspector that the secure tags are actually flagged.
My initial thought is also that Firefox makes an exception for http when it's on localhost.
Update:
For Firefox this is intended behavior as mentioned here: https://bugzilla.mozilla.org/show_bug.cgi?id=1648993
Which has been added to docs by now (1, 2).
Chrome considered adopting the same behavior: https://bugs.chromium.org/p/chromium/issues/detail?id=1056543 and will do so starting from Chrome 89 (to be stable on March 2, 2021).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With