diff options
author | Daniel Gustafsson <daniel@yesql.se> | 2018-12-13 09:57:58 +0100 |
---|---|---|
committer | Daniel Gustafsson <daniel@yesql.se> | 2018-12-13 09:57:58 +0100 |
commit | 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 (patch) | |
tree | 65ff353305bd1d837519f292bf934a498ae4ed13 /lib/http.c | |
parent | fdc5563b6e80bcdda89d68705cb5488ecc3a48ce (diff) | |
download | gnurl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.tar.gz gnurl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.tar.bz2 gnurl-7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5.zip |
cookies: leave secure cookies alone
Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.
Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Diffstat (limited to 'lib/http.c')
-rw-r--r-- | lib/http.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/http.c b/lib/http.c index 345100f6c..0a3e46243 100644 --- a/lib/http.c +++ b/lib/http.c @@ -3873,7 +3873,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, here, or else use real peer host name. */ conn->allocptr.cookiehost? conn->allocptr.cookiehost:conn->host.name, - data->state.up.path); + data->state.up.path, + (conn->handler->protocol&CURLPROTO_HTTPS)? + TRUE:FALSE); Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); } #endif |