Cookie token should be marked as "secure" when created in an https connection

[temtemy]

💡 Summary

Currently the cookie being generated in /packages/frontend/src/account.ts when you sign in is not marked as secure:

misskey/packages/frontend/src/account.ts

Line 205 in 0e92cbf

document.cookie = `token=${token}; path=/; max-age=31536000`; // bull dashboardの認証とかで使う

This can result in the cookie token being sent unencrypted by the browser over http if the webmaster didn't setup HSTS.

Note that Chrome and Firefox (since version 52 for both browsers) will not set a cookie when secure is used in an http scheme, according to MDN. So make sure secure is only added as a directive when https is the scheme so as to not break Misskey instances which serve the frontend over secure hidden networks like Tor and Yggdrasil (which usually don't use https).

🥰 Expected Behavior

The cookie token should be marked as "secure" in the document.cookie. For example, Mastodon does it and my browser does note that the cookie will only be sent over HTTPS:

🤬 Actual Behavior

There's no secure directive in the document.cookie, and as noted by my browser it can be sent over any type of connection instead of just HTTPS:

📝 Steps to Reproduce

No response

💻 Frontend Environment

No response

🛰 Backend Environment (for server admin)

No response

Do you want to address this bug yourself?

• Yes, I will patch the bug myself and send a pull request

[kakkokari-gtyih]

Related to #14528