cookie set by JavaScript should not be sent over HTTP
-
I tested vivaldi on https://browseraudit.com and I had one critical fail:
How do I fix/secure my browser? -
@sahands One test on the page has a bug.
Vivaldi dev investigated:
Note that cookie handling in Vivaldi is provided by the Chromium engine, so any bugs in the cookie handling are likely to be Chromium bugs, not Vivaldi-specific bugs. The Chromium project has already analysed this here:
https://bugs.chromium.org/p/chromium/issues/detail?id=1065871
The test on the BrowserAudit website is flawed. It tries to set a secure cookie from an insecure page. This is not permitted in Chromium for security reasons. As a result, the "secure" cookie flag is ignored, and it is allowed to be sent over HTTP. This is a mistake in the test, and the website needs to correct their test. Please feel free to contact them, and point them to the Chromium bug report.
(Note also that BrowserAudit exaggerates the severity of bugs; failures are classed as "critical". Even if the test were correct, sending a "secure" flagged cookie over an insecure connection would not be a critical security issue - critical security issues have much more severe consequences, such as compromising a user's computer, and cookies cannot have that much impact.)
-
@sahands said in cookie set by JavaScript should not be sent over HTTP:
Is this test site checking the server's headers? I did not allow it to set cookies, but got a lot of critical messages about cookies.