cookies: leave secure cookies alone

Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
author: Daniel Gustafsson <daniel@yesql.se> 2018-12-13 09:57:58 +0100
committer: Daniel Gustafsson <daniel@yesql.se> 2018-12-13 09:57:58 +0100
commit: 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 (patch)
tree: 65ff353305bd1d837519f292bf934a498ae4ed13 /docs/HTTP-COOKIES.md
parent: fdc5563b6e80bcdda89d68705cb5488ecc3a48ce (diff)
download: curl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/docs/HTTP-COOKIES.md b/docs/HTTP-COOKIES.md
index a1b283454..66e39d232 100644
--- a/docs/HTTP-COOKIES.md
+++ b/docs/HTTP-COOKIES.md
@@ -18,7 +18,9 @@
   original [Netscape spec from 1994](https://curl.haxx.se/rfc/cookie_spec.html).
 
   In 2011, [RFC6265](https://www.ietf.org/rfc/rfc6265.txt) was finally
-  published and details how cookies work within HTTP.
+  published and details how cookies work within HTTP. In 2017, an update was
+  [drafted](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01)
+  to deprecate modification of 'secure' cookies from non-secure origins.
 
 ## Cookies saved to disk
author	Daniel Gustafsson <daniel@yesql.se>	2018-12-13 09:57:58 +0100
committer	Daniel Gustafsson <daniel@yesql.se>	2018-12-13 09:57:58 +0100
commit	7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 (patch)
tree	65ff353305bd1d837519f292bf934a498ae4ed13 /docs/HTTP-COOKIES.md
parent	fdc5563b6e80bcdda89d68705cb5488ecc3a48ce (diff)
download	curl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.tar.gz