undefined | Better HN

0 pointsyencabulator6y ago0 comments

The http version can't access secure cookies; https with the wrong cert can use the secure cookies of the real https site.

0 comments

mrob6y ago

So disable secure cookies by default for self-signed certs. The scary warnings can be shown when the user tries to enable them.

In other words, "open users up to social engineering attacks to make my web-dev life easier".

You misinterpreted the above commenter. The suggestion is to disallow self-signed contexts access cookies set in authoritative contexts.

j / k navigate · click thread line to collapse

mrob6y ago

So disable secure cookies by default for self-signed certs. The scary warnings can be shown when the user tries to enable them.

In other words, "open users up to social engineering attacks to make my web-dev life easier".

You misinterpreted the above commenter. The suggestion is to disallow self-signed contexts access cookies set in authoritative contexts.

j / k navigate · click thread line to collapse