|
|
Log in / Subscribe / Register

Disable HTTPS upgrade?

Disable HTTPS upgrade?

Posted Mar 5, 2025 14:07 UTC (Wed) by ballombe (subscriber, #9523)
In reply to: Disable HTTPS upgrade? by excors
Parent article: Firefox 136.0 released

> because cookies are shared by all schemes and ports on the same host.

... which independently of https is a major design bug since webservers on non-standard ports exist.

to post comments

Disable HTTPS upgrade?

Posted Mar 5, 2025 15:19 UTC (Wed) by excors (subscriber, #95769) [Link]

Yeah, modern web security is based on "origin" (basically a tuple of scheme, port and host) which is generally sensible, but cookies were invented long before that and can't be fixed because of backward compatibility requirements. If you want to properly isolate sites then they can't even be on different subdomains of the same domain - they must be completely different domains, up to a suffix listed in the Public Suffix List (.com, .co.uk, .github.io, etc). And definitely don't try to isolate them just by port. It's a bad design, but it is what it is.

(Or as RFC6265 puts it: "For historical reasons, cookies contain a number of security and privacy infelicities.")


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds