This repository was archived by the owner on Nov 4, 2024. It is now read-only.
This repository was archived by the owner on Nov 4, 2024. It is now read-only.
Problematic advice regarding cookies with HSTS without secure flag #515
Description
The Observatory gives a penalty for cookies without the secure flag.
However it'll give less penalty if the site uses HSTS. The explanation is:
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS
This is misleading. It is possible to have setups where a cookie is sent over HSTS, but can still be transmitted in plain text.
I have setup a simple example:
- https://test.mecronome.de/ has HSTS and sets a cookie scoped for the whole domain.
- Opening http://plain.mecronome.de/ will transmit the cookie.
I think it is problematic to imply that HSTS would make the cookie secure flag unnecessary.
( https://bugzilla.mozilla.org/show_bug.cgi?id=1870262 is also related.)