Problematic advice regarding cookies with HSTS without secure flag

[hannob]

The Observatory gives a penalty for cookies without the secure flag.

However it'll give less penalty if the site uses HSTS. The explanation is:

Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS

This is misleading. It is possible to have setups where a cookie is sent over HSTS, but can still be transmitted in plain text.

I have setup a simple example:

• https://test.mecronome.de/ has HSTS and sets a cookie scoped for the whole domain.
• Opening http://plain.mecronome.de/ will transmit the cookie.

I think it is problematic to imply that HSTS would make the cookie secure flag unnecessary.

( https://bugzilla.mozilla.org/show_bug.cgi?id=1870262 is also related.)