From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 17 Nov 2022 18:08:56 +0000 (+0100)
Subject: HTTP-COOKIES.md: mention that http://localhost is a secure context
X-Git-Tag: curl-7_87_0~143
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b473df52bbd887cf98d985b65f5f4adce25c07d5;p=thirdparty%2Fcurl.git

HTTP-COOKIES.md: mention that http://localhost is a secure context

Reported-by: Trail of Bits

Closes #9938
---

diff --git a/docs/HTTP-COOKIES.md b/docs/HTTP-COOKIES.md
index 939e9fab2f..bbcb175a79 100644
--- a/docs/HTTP-COOKIES.md
+++ b/docs/HTTP-COOKIES.md
@@ -29,6 +29,11 @@
   RFC6265. Cookie prefixes and secure cookie modification protection has been
   implemented by curl.
 
+  curl considers `http://localhost` to be a *secure context*, meaning that it
+  will allow and use cookies marked with the `secure` keyword even when done
+  over plain HTTP for this host. curl does this to match how popular browsers
+  work with secure cookies.
+
 ## Cookies saved to disk
 
   Netscape once created a file format for storing cookies on disk so that they