Secure cookie on localhost

[nerg4l]

I haven't found any issues/discussions regarding this but if this was already teared to pieces then sorry.

I see the following mentioned on many places in the current web page:

Cookies can only be sent over HTTPS (Should be omitted when testing on localhost)

According to my experience and some documents this is not true because localhost is handled differently by most browsers if not all.

Source: MDN Cookies

[...] It's never sent with unsecured HTTP (except on localhost) [...]

Source: MDN Set-Cookie

[...] Indicates that the cookie is sent to the server only when a request is made with the https: scheme (except on localhost) [...]

Source: rfc6265bis - This RFC is planned to replace rfc6265.

[...] For example, most user agents consider "https" to be a scheme that denotes a secure protocol and "localhost" to be trusted host. [...]

I'm wondering if the quoted string and checking for env value in the current Lucia documents are needed or not. What do you think? Am I wrong here? Is it for compatibility?

[pilcrowonpaper]

Safari is probably the major outlier but both RFC 6265 and the draft you linked ultimately leaves it up to each user agent to define what constitutes as "secure channels"

[nerg4l]

Interesting. Yes, the RFC states it as "most user agents" but the MDN documents is less ambiguous with the wording and that's confused me.

Thanks for the clarification.