From b473df52bbd887cf98d985b65f5f4adce25c07d5 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 17 Nov 2022 19:08:56 +0100
Subject: [PATCH] HTTP-COOKIES.md: mention that http://localhost is a secure
 context

Reported-by: Trail of Bits

Closes #9938
---
 docs/HTTP-COOKIES.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/HTTP-COOKIES.md b/docs/HTTP-COOKIES.md
index 939e9fab2f..bbcb175a79 100644
--- a/docs/HTTP-COOKIES.md
+++ b/docs/HTTP-COOKIES.md
@@ -29,6 +29,11 @@
   RFC6265. Cookie prefixes and secure cookie modification protection has been
   implemented by curl.
 
+  curl considers `http://localhost` to be a *secure context*, meaning that it
+  will allow and use cookies marked with the `secure` keyword even when done
+  over plain HTTP for this host. curl does this to match how popular browsers
+  work with secure cookies.
+
 ## Cookies saved to disk
 
   Netscape once created a file format for storing cookies on disk so that they