Skip to content

Safari does not support localhost exception for Secure cookies #28461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 25, 2025
Merged

Safari does not support localhost exception for Secure cookies #28461

merged 6 commits into from
Nov 25, 2025

Conversation

@Mattia-Rollo
Copy link
Contributor

@Mattia-Rollo Mattia-Rollo commented Nov 15, 2025

Hi @hamishwillee,

As per your request on mdn/content#41795, I'm opening this PR to add the note about Safari's localhost exception for Secure cookies directly to the BCD.

I've added the note to the main Set-Cookie support block for Safari, as Secure isn't tracked as a separate sub-feature. Please let me know if this is the correct location!

Summary

Adds a BCD note to the Set-Cookie header, clarifying that Safari does not support the localhost exception for the Secure attribute.

Test results and supporting details

This is a data-only change to add a note.

Supporting information and related discussion:

Related issues

Fixes mdn/content#41366
Addresses discussion in mdn/content#41795

@github-actions github-actions bot added data:http Compat data for HTTP features. https://developer.mozilla.org/docs/Web/HTTP size:xs [PR only] 0-6 LoC changed labels Nov 15, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 15, 2025
edited
Loading

Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs).

@caugner caugner changed the title feat(http): Add Safari Secure/localhost note to Set-Cookie Safari does not support localhost exception for Secure cookies Nov 17, 2025
caugner
caugner reviewed Nov 17, 2025
View reviewed changes
Copy link
Contributor

@caugner caugner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this exception mentioned in the spec?

Mattia-Rollo and others added 2 commits November 17, 2025 18:07
@Mattia-Rollo @caugner
Update http/headers/Set-Cookie.json
a4c2ac3 
Co-authored-by: Claas Augner <495429+caugner@users.noreply.github.com>
@Mattia-Rollo
Merge branch 'main' into feat-safari-secure-note
0f62dde
@Mattia-Rollo
Copy link
Contributor Author

Mattia-Rollo commented Nov 17, 2025

Hi @caugner,

Thanks so much for the review and the very helpful suggestion! I've just committed your change.

You're spot on about the spec. It looks like the localhost exception isn't in the original RFC 6265, but is more of a modern browser convention for developer experience. Your new wording describes Safari's behavior much more accurately.

Appreciate the help!

@caugner
Copy link
Contributor

caugner commented Nov 18, 2025
edited
Loading

@Mattia-Rollo Just to double-check: Chrome and Safari apply this exception, and send Secure cookies to unsecured localhost endpoints?

Edit: Also, have you considered adding the note to the Cookie header additionally/instead: https://github.com/mdn/browser-compat-data/blob/main/http/headers/Cookie.json

@Mattia-Rollo
Copy link
Contributor Author

Mattia-Rollo commented Nov 21, 2025

Hi @caugner,

Thanks for the review!

To answer your double-check: Yes, that is correct. Chrome and Firefox apply the exception (allowing Secure cookies on localhost), while Safari does not. This behavior is confirmed by the WebKit bug report I linked (#281149), which tracks this exact lack of support in Safari compared to other browsers.

Regarding the location of the note: That is a great point. Since the documented behavior is the User Agent's (Safari) decision on whether to send the cookie, placing the note under the Cookie header is indeed more appropriate than Set-Cookie.

I can move the note to http/headers/Cookie.json. Please confirm if you'd like me to delete the note from Set-Cookie.json entirely, or just move it.

@caugner
Copy link
Contributor

caugner commented Nov 21, 2025

@Mattia-Rollo Thanks for confirming. Let's duplicate the note to Cookies instead of moving.

@github-actions github-actions bot added size:s [PR only] 7-24 LoC changed and removed size:xs [PR only] 0-6 LoC changed labels Nov 21, 2025
@Mattia-Rollo
Copy link
Contributor Author

Mattia-Rollo commented Nov 21, 2025

Done! Duplicated the note to Cookie.json as requested.

@caugner caugner merged commit 2ba5698 into mdn:main Nov 25, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@caugner caugner caugner approved these changes

Assignees

No one assigned

Labels

data:http Compat data for HTTP features. https://developer.mozilla.org/docs/Web/HTTP size:s [PR only] 7-24 LoC changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Safari does not forward Secure cookies in localhost

2 participants

@Mattia-Rollo @caugner