<div style="display: flex; flex-wrap: wrap; white-space: pre-wrap; align-items: center; "><img height="20" width="20" style="border-radius:50%; margin-right: 4px;" decoding="async" src="https://avatars.githubusercontent.com/u/36066?s=20&v=4" /><strong>pablobm</strong> left a comment <a href="https://github.com/openstreetmap/openstreetmap-website/pull/6424#issuecomment-3365324659">(openstreetmap/openstreetmap-website#6424)</a></div>
<p dir="auto">I'm reading a bit more. I think the explanation (or at least one explanation) is that an attacker could impersonate the HTTP version of the site before the redirection to HTTPS. Hence we can't be sure that we are setting the cookie securely.</p>
<p dir="auto">I think <code class="notranslate">location.protocol === 'https'</code> would not work as it would not protect us from those edge cases that <code class="notranslate">secure</code> is supposed to be about. I'll put a variable to signal that we are in production and use that.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/6424#issuecomment-3365324659">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLIWE6TKL5ZFAOPY43D3VZMDNAVCNFSM6AAAAACIAUD6DKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNRVGMZDINRVHE">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLPUKLBTIQ3Y7CPIGDL3VZMDNA5CNFSM6AAAAACIAUD6DKWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTWIS3DXG.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/6424/c3365324659</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>

<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/6424#issuecomment-3365324659",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/6424#issuecomment-3365324659",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>