secure attribute on cookies created in javascript

Question

When cookies are created purely client-side in javascript by setting document.cookie(), what effect does the "secure" attribute have on them?

In particular:

• are client-created cookies sent to the server in the "Cookie:" header of subsequent requests?

• can client-created be modified by subsequent Set-Cookie headers from the server?

• in the case of the previous two questions, assuming the answer is yes, does the secure attribute prevent this if the connection with the server isn't HTTPS?

• if a page not loaded over HTTPS contains javascript that tries to create cookies with the secure attribute, will the cookies even be allowed to be created?

• do the major browsers handle all this consistently?

Answer 1

1> Yes, JavaScript-set cookies (set via document.cookie=) are sent to the server in the Cookie request header. 2> Yes, client-set cookies can be overwritten by server-delivered Set-Cookie headers. 3> Yes, it should. 4> It should not. 5> As far as I know, yes, but it should be easy to test.