| commit | 130c0d848751ca0ebf236ddc09310b7d3a32a80e | |
| author | Chocobo1 <Chocobo1@users.noreply.github.com> | |
| Sat, 7 Sep 2024 13:38:27 +0000 (7 21:38 +0800) | ||
| committer | GitHub <noreply@github.com> | |
| Sat, 7 Sep 2024 13:38:27 +0000 (7 21:38 +0800) | ||
| tree | b64a969e2f90f6db894a34c4a5ab2e10dd46aeef | treesnapshot (tar.gz zip) |
| parent | d9bc7935eb750fed253e65b14c52cdda44e550e3 | commitdiff |
Revise cookie 'secure flag' enable condition
The localhost is 'potentially trustworthy' and RFC 6265 allows setting secure flag in this case.
Also check `X-Forwarded-Proto` header value to support reverse proxy usage.
Note: for reverse proxy users, now the `X-Forwarded-Proto` header is expected to be sent to qbt
otherwise the `secure` flag might be set erroneously.
https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.5
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
Closes #21250.
PR #21260.
The localhost is 'potentially trustworthy' and RFC 6265 allows setting secure flag in this case.
Also check `X-Forwarded-Proto` header value to support reverse proxy usage.
Note: for reverse proxy users, now the `X-Forwarded-Proto` header is expected to be sent to qbt
otherwise the `secure` flag might be set erroneously.
https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.5
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
Closes #21250.
PR #21260.