Respect the https_forced property when setting cookies client-side

r2/r2/lib/template_helpers.py

@@ -144,6 +144,8 @@ def js_config(extra_config=None):
         "ajax_domain": get_domain(cname=c.authorized_cname, subreddit=False),
         "extension": c.extension,
         "https_endpoint": is_subdomain(request.host, g.domain) and g.https_endpoint,
+        # does the client only want to communicate over HTTPS?
+        "https_forced": c.user.https_forced,
         # debugging?
         "debug": g.debug,
         "send_logs": g.live_config["frontend_logging"],

r2/r2/public/static/js/jquery.reddit.js

@@ -697,7 +697,7 @@ $.rehighlight_new_comments = function() {
   }
 }
 
-/* namespace globals for cookies -- default prefix and domain */
+/* namespace globals for cookies -- default prefix, security and domain */
 var default_cookie_domain
 $.default_cookie_domain = function(domain) {
     if (domain) {
@@ -705,6 +705,11 @@ $.default_cookie_domain = function(domain) {
     }
 }
 
+var default_cookie_security
+$.default_cookie_security = function(security) {
+    default_cookie_security = security
+}
+
 var cookie_name_prefix = "_"
 $.cookie_name_prefix = function(name) {
     if (name) {
@@ -719,6 +724,7 @@ $.cookie_write = function(c) {
         options.expires = c.expires
         options.domain = c.domain || default_cookie_domain
         options.path = c.path || '/'
+        options.secure = c.secure || default_cookie_security
 
         var key = cookie_name_prefix + c.name,
             value = c.data

r2/r2/public/static/js/reddit.js

@@ -1153,6 +1153,9 @@ $(function() {
         }
         /* set up the cookie domain */
         $.default_cookie_domain(reddit.cur_domain.split(':')[0]);
+
+        // When forcing HTTPS, all cookies need the secure flag
+        $.default_cookie_security(reddit.https_forced)
         
         /* visually mark the last-clicked entry */
         last_click();