From bdd42a090285a792a106710c8142a381987a2c15 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Thu, 10 Sep 2015 22:41:08 +0000
Subject: [PATCH] Set the `secure` flag on the `wp-saving-post` cookie when
 using HTTPS.

This cookie doesn't contain any sensitive information, but this change brings its behaviour in line with all other core cookies.

Fixes #31056


git-svn-id: https://develop.svn.wordpress.org/trunk@34027 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/post.php          | 2 +-
 src/wp-includes/js/autosave.js | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php
index c1491340c5..2fcef19ba2 100644
--- a/src/wp-admin/post.php
+++ b/src/wp-admin/post.php
@@ -190,7 +190,7 @@ case 'editpost':
 
 	// Session cookie flag that the post was saved
 	if ( isset( $_COOKIE['wp-saving-post'] ) && $_COOKIE['wp-saving-post'] === $post_id . '-check' ) {
-		setcookie( 'wp-saving-post', $post_id . '-saved', time() + DAY_IN_SECONDS );
+		setcookie( 'wp-saving-post', $post_id . '-saved', time() + DAY_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, is_ssl() );
 	}
 
 	redirect_post($post_id); // Send user on their way while we keep working
diff --git a/src/wp-includes/js/autosave.js b/src/wp-includes/js/autosave.js
index 4e6834a15d..c79d5a45a1 100644
--- a/src/wp-includes/js/autosave.js
+++ b/src/wp-includes/js/autosave.js
@@ -286,7 +286,8 @@ window.autosave = function() {
 						});
 					}
 
-					wpCookies.set( 'wp-saving-post', post_id + '-check', 24 * 60 * 60 );
+					var secure = ( 'https:' === window.location.protocol );
+					wpCookies.set( 'wp-saving-post', post_id + '-check', 24 * 60 * 60, false, false, secure );
 				});
 			}