Allow user-defined secure cookies #6357
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow user-defined cookies to specify a
secure
key to indicate if the cookie is meant to be only set onhttps://
requests.It includes a backward-incompatible change, because it automatically sets
secure
toTrue
if no value is specified and the request URL ishttps://
. So aRequest("https://example.com", cookies={"a": "b"})
object, if redirected to"http://example.com"
, would now lose the cookies. I think this behavior makes sense, i.e. secure by default, since users are likely to forget about settingsecure
even where they should. But it is worth noting that there is no standard for users defining cookies manually, andsecure
isFalse
by default in server-set cookies.Related to #5431.