cookies: leave secure cookies alone

Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
author: Daniel Gustafsson <daniel@yesql.se> 2018-12-13 09:57:58 +0100
committer: Daniel Gustafsson <daniel@yesql.se> 2018-12-13 09:57:58 +0100
commit: 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 (patch)
tree: 65ff353305bd1d837519f292bf934a498ae4ed13 /lib/http.c
parent: fdc5563b6e80bcdda89d68705cb5488ecc3a48ce (diff)
download: gnurl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.tar.gz
gnurl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.tar.bz2
gnurl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/http.c b/lib/http.c
index 345100f6c..0a3e46243 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -3873,7 +3873,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
                          here, or else use real peer host name. */
                       conn->allocptr.cookiehost?
                       conn->allocptr.cookiehost:conn->host.name,
-                      data->state.up.path);
+                      data->state.up.path,
+                      (conn->handler->protocol&CURLPROTO_HTTPS)?
+                      TRUE:FALSE);
       Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
     }
 #endif
author	Daniel Gustafsson <daniel@yesql.se>	2018-12-13 09:57:58 +0100
committer	Daniel Gustafsson <daniel@yesql.se>	2018-12-13 09:57:58 +0100
commit	7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 (patch)
tree	65ff353305bd1d837519f292bf934a498ae4ed13 /lib/http.c
parent	fdc5563b6e80bcdda89d68705cb5488ecc3a48ce (diff)
download	gnurl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.tar.gz gnurl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.tar.bz2 gnurl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.zip