Alert group Cookie(s) without Secure flag set
This cookie does not have the Secure flag set. When a cookie is set with the Secure flag, it instructs
the browser that the cookie can only be accessed over secure SSL channels. This is an important
security protection for session cookies.
Recommendations If possible, you should set the Secure flag for this cookie.
stopMobileRedirect=true; expires=Thu, 24-Oct-2019 08:47:45 GMT; path=/; domain=xxx;
Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
|mediawiki/extensions/MobileFrontend : master||SECURITY: Set stopMobileRedirect cookie within MobileFrontent to true|
The stopMobileRedirect cookie allows editors to opt out of the mobile site on their phone - by requesting they always get desktop. There might be a more modern way to do this with headers now though...
Ok, that's fair. I was more curious as to why the cookie's secure flag is being explicitly set to false within the code. I'd assume because there were issues with it not working properly for non-TLS sites, though I have no knowledge of the history here. If there really isn't a good reason for it being set to false here, we should probably change it with a gerrit patch.
Sounds likely. If there aren't any objections, I'd like to push a patch through gerrit setting the secure key to true (or just removing it) and then make this task public. I'm less worried about this one than T238075 since we should be tls-only on all production projects and this code has been in the wild for many years.