There are a few cookie related topics on this list, some of them are related to changes made
But actually the devtools keep the developer in the dark when he/she stumbles upon it and tries to debugging the issue!
The problem is that the devtools will not show the secure cookies on the insecure site, even though they block setting a insecure version of the cookie as made with the change linked above and thus the developer cannot understand why it fails. Devtools should only filter cookies show to the developer by domain!
I have a test site with http on port 8080 and https on port 8443.
When I log in via http, I get a insecure session cookies that will be shown in the application:
Via https the same cookies are shown:
When I remove these cookies and log in via https, I get fresh secure cookies:
Now the insecure site will enter an endless login loop because the server will try to set insecure cookies, which Chrome will block as intended. But when I debug the insecure site will not see these cookies:
This is very frustrating and should be fixed.
Even if Chrome does not send secure cookies to an insecure site, cookies are not filtered by port, and so shouldn't the devtools. The devtools should show all cookies of a domain to the developer.
I am using Version 60.0.3112.101 (official) (64-Bit)