From 8f7fadf98151511defbeb49b1a3b5e0858a4eecb Mon Sep 17 00:00:00 2001
From: Pablo Brasero <pablo@pablobm.com>
Date: Mon, 6 Oct 2025 16:57:34 +0100
Subject: [PATCH] Secure cookies only when HTTPS expected

This is particularly important if running system tests with
a remote Selenium instance. HTTPS and localhost are considered
"secure" for this purpose, while a remote Selenium will connect
to the app with HTTP instead.
---
 app/assets/javascripts/osm.js.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/assets/javascripts/osm.js.erb b/app/assets/javascripts/osm.js.erb
index d9b2530bf..56b6bd88e 100644
--- a/app/assets/javascripts/osm.js.erb
+++ b/app/assets/javascripts/osm.js.erb
@@ -27,7 +27,7 @@ OSM = {
       end.to_json
   %>,
 
-  cookies: Cookies.withAttributes({ path: "/", samesite: "lax", secure: true }),
+  cookies: Cookies.withAttributes({ path: "/", samesite: "lax", secure: <%= (Settings.server_protocol == "https").to_json %> }),
 
   DEFAULT_LOCALE: <%= I18n.default_locale.to_json %>,
 
-- 
2.39.5