As a result of a programming error in my own dart client code running in Dartium, I discovered that I could successfully access restricted cookie values both in the html.document.cookie property and the request response of a cross origin xhr request made through pub serve. When I turn pub serve off my code failed because I could not longer access the cookie values. Failure is correct in this case because the cookies should not be accessible (is my understanding).
To be totally clear, what I believe to be incorrect access to the cookies occurs when:
1. I run my Dart code with "use pub server" ticked off in the project's Dart Editor launch config..
2. I launch Dartium with the option --disable-web-security so that cross origin xhr requests goes through.
3. My dart code is loaded in Dartium using http:://
127.0.0.1:3030 (the Dart Editor server) (no pub serve)
4. My cross origin request goes to localhost port 8888 successully.
5. I attempt to read the cookie value in the reply and cannot - as expected.
6. Do the above but with pub serve enabled in the launch config (so app is now served from the pub server port not from 3030) and I succeed in reading the cookie value.
Is this a bug in pub serve? Is this a bug at all?