MC-42497: Session Cookie (Authentication Related) Does Not Contain The "HTTPOnly" and "secure" Attribute

- Fix cookies created with $.mage.cookies are not "secure"

Author: bubasuma

app/code/Magento/Cookie/Test/Mftf/Test/StorefrontVerifySecureCookieTest.xml

@@ -45,5 +45,10 @@
             <actualResult type="variable">isCookieSecure</actualResult>
             <expectedResult type="string">true</expectedResult>
         </assertEquals>
+        <executeJS function="return jQuery.mage.cookies.defaults.secure ? 'true' : 'false'" stepKey="isCookieSecure2"/>
+        <assertEquals stepKey="assertCookieIsSecure2">
+            <actualResult type="variable">isCookieSecure2</actualResult>
+            <expectedResult type="string">true</expectedResult>
+        </assertEquals>
     </test>
 </tests>

app/code/Magento/Cookie/Test/Mftf/Test/StorefrontVerifyUnsecureCookieTest.xml

@@ -32,5 +32,10 @@
             <actualResult type="variable">isCookieSecure</actualResult>
             <expectedResult type="string">false</expectedResult>
         </assertEquals>
+        <executeJS function="return jQuery.mage.cookies.defaults.secure ? 'true' : 'false'" stepKey="isCookieSecure2"/>
+        <assertEquals stepKey="assertCookieIsSecure2">
+            <actualResult type="variable">isCookieSecure2</actualResult>
+            <expectedResult type="string">false</expectedResult>
+        </assertEquals>
     </test>
 </tests>

app/code/Magento/Theme/ViewModel/Block/SessionConfig.php

@@ -0,0 +1,45 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Theme\ViewModel\Block;
+
+use Magento\Framework\Session\Config\ConfigInterface;
+use Magento\Framework\View\Element\Block\ArgumentInterface;
+
+/**
+ * Provide cookie configuration
+ */
+class SessionConfig implements ArgumentInterface
+{
+    /**
+     * Session config
+     *
+     * @var ConfigInterface
+     */
+    private $sessionConfig;
+
+    /**
+     * Constructor
+     *
+     * @param ConfigInterface $sessionConfig
+     */
+    public function __construct(
+        ConfigInterface $sessionConfig
+    ) {
+        $this->sessionConfig = $sessionConfig;
+    }
+    /**
+     * Get session.cookie_secure
+     *
+     * @return bool
+     * @SuppressWarnings(PHPMD.BooleanGetMethodName)
+     */
+    public function getCookieSecure(): bool
+    {
+        return $this->sessionConfig->getCookieSecure();
+    }
+}

app/code/Magento/Theme/view/frontend/layout/default.xml

@@ -12,7 +12,11 @@
         <block name="require.js" class="Magento\Framework\View\Element\Template" template="Magento_Theme::page/js/require_js.phtml" />
         <referenceContainer name="after.body.start">
             <block class="Magento\RequireJs\Block\Html\Head\Config" name="requirejs-config"/>
-            <block class="Magento\Framework\View\Element\Js\Cookie" name="js_cookies" template="Magento_Theme::js/cookie.phtml"/>
+            <block class="Magento\Framework\View\Element\Js\Cookie" name="js_cookies" template="Magento_Theme::js/cookie.phtml">
+                <arguments>
+                    <argument name="session_config" xsi:type="object">Magento\Theme\ViewModel\Block\SessionConfig</argument>
+                </arguments>
+            </block>
             <block class="Magento\Theme\Block\Html\Notices" name="global_notices" template="Magento_Theme::html/notices.phtml"/>
         </referenceContainer>
         <referenceBlock name="top.links">

app/code/Magento/Theme/view/frontend/templates/js/cookie.phtml

@@ -18,7 +18,7 @@
                 "expires": null,
                 "path": "<?= $block->escapeJs($block->getPath()) ?>",
                 "domain": "<?= $block->escapeJs($block->getDomain()) ?>",
-                "secure": false,
+                "secure": <?= $block->getSessionConfig()->getCookieSecure() ? 'true' : 'false'; ?>,
                 "lifetime": "<?= $block->escapeJs($block->getLifetime()) ?>"
             }
         }