GeoIP and WMF-Last-Access cookies come from Varnish. We should be marking them as secure!
|Open||None||T119570 Consider setting "Secure" on cookies that EFF HTTPS-Everywhere sets this on for us (tracking)|
|Resolved||BBlack||T119576 Mark cookies from varnish as secure|
Note there are probably question-marks around these about insecure requests. We don't yet block/deny insecure POST traffic ( T105794 ), but we've been warning about it and trying to weed them out from top log entries for a long time now, and sending warnings on the API requests. This could break requests which currently send these two cookies along with an insecure POST , but IMHO we're well past the date range where we can say "Hey, fix your insecure POST traffic instead of complaining about the broken cookies"