What can NoScript do against HTTPS cookie hijacking?
HTTPS cookie hijacking happens when a site sets sensitive cookies (e.g. those identifying authenticated sessions) over HTTPS connections but “forgets” to flag them as “Secure”. This means that subsequent unencrypted (non-HTTPS) requests for the same site will leak the session cookies away, even if you logged in securely. NoScript provides means to mitigate this issue, configurable in NoScript Options|Advanced|HTTPS|Cookies. If Enable Automatic Secure Cookies Management is checked, NoScript will try to “patch” insecure cookies set by HTTPS sites on the fly: • If the site matches the “Ignore unsafe cookies…” pattern list, NoScript lets its cookies pass through untouched • If the site matches the “Force encryption for all the cookies…” pattern list, NoScript appends a “;Secure” flag to every non-secure cookie set by this response • Otherwise, NoScript just logs unsafe cookies BUT if no secure cookie is set in a HTTPS transaction setting other (unsafe) cookies, NoScript patches all the
