diff --git a/ChangeLog.md b/ChangeLog.md
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,5 +1,9 @@
 # Changelog for http-client
 
+## 0.7.7
+
+* Allow secure cookies for localhost without HTTPS [#460](https://github.com/snoyberg/http-client/pull/460)
+
 ## 0.7.6
 
 * Add `applyBearerAuth` function [#457](https://github.com/snoyberg/http-client/pull/457/files)
diff --git a/Network/HTTP/Client/Cookies.hs b/Network/HTTP/Client/Cookies.hs
--- a/Network/HTTP/Client/Cookies.hs
+++ b/Network/HTTP/Client/Cookies.hs
@@ -14,6 +14,7 @@
     , removeExistingCookieFromCookieJar
     , domainMatches
     , isIpAddress
+    , isPotentiallyTrustworthyOrigin
     , defaultPath
     ) where
 
@@ -29,6 +30,8 @@
 import qualified Network.PublicSuffixList.Lookup as PSL
 import Data.Text.Encoding (decodeUtf8With)
 import Data.Text.Encoding.Error (lenientDecode)
+import qualified Data.IP as IP
+import Text.Read (readMaybe)
 
 import Network.HTTP.Client.Types as Req
 
@@ -111,6 +114,37 @@
 isPublicSuffix :: BS.ByteString -> Bool
 isPublicSuffix = PSL.isSuffix . decodeUtf8With lenientDecode
 
+-- | Algorithm described in \"Secure Contexts\", Section 3.1, \"Is origin potentially trustworthy?\"
+--
+-- Note per RFC6265 section 5.4 user agent is free to define the meaning of "secure" protocol.
+--
+-- See:
+-- https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy
+isPotentiallyTrustworthyOrigin :: Bool          -- ^ True if HTTPS
+                               -> BS.ByteString -- ^ Host
+                               -> Bool          -- ^ Whether or not the origin is potentially trustworthy
+isPotentiallyTrustworthyOrigin secure host
+  | secure = True             -- step 3
+  | isLoopbackAddr4 = True    -- step 4, part 1
+  | isLoopbackAddr6 = True    -- step 4, part 2
+  | isLoopbackHostname = True -- step 5
+  | otherwise = False
+  where isLoopbackHostname =
+               host == "localhost"
+            || host == "localhost."
+            || BS.isSuffixOf ".localhost" host
+            || BS.isSuffixOf ".localhost." host
+        isLoopbackAddr4 =
+          fmap (take 1 . IP.fromIPv4) (readMaybe (S8.unpack host)) == Just [127]
+        isLoopbackAddr6 =
+          fmap IP.toHostAddress6 maddr6 == Just (0, 0, 0, 1)
+        maddr6 = do
+          (c1, rest1) <- S8.uncons host
+          (rest2, c2) <- S8.unsnoc rest1
+          case [c1, c2] of
+            "[]" -> readMaybe (S8.unpack rest2)
+            _ -> Nothing
+
 -- | This corresponds to the eviction algorithm described in Section 5.3 \"Storage Model\"
 evictExpiredCookies :: CookieJar  -- ^ Input cookie jar
                     -> UTCTime    -- ^ Value that should be used as \"now\"
@@ -143,7 +177,7 @@
                 condition2 = pathMatches (Req.path request) (cookie_path cookie)
                 condition3
                   | not (cookie_secure_only cookie) = True
-                  | otherwise = Req.secure request
+                  | otherwise = isPotentiallyTrustworthyOrigin (Req.secure request) (Req.host request)
                 condition4
                   | not (cookie_http_only cookie) = True
                   | otherwise = is_http_api
diff --git a/http-client.cabal b/http-client.cabal
--- a/http-client.cabal
+++ b/http-client.cabal
@@ -1,5 +1,5 @@
 name:                http-client
-version:             0.7.6
+version:             0.7.7
 synopsis:            An HTTP client engine
 description:         Hackage documentation generation is not reliable. For up to date documentation, please see: <http://www.stackage.org/package/http-client>.
 homepage:            https://github.com/snoyberg/http-client
@@ -58,6 +58,7 @@
                      , mime-types
                      , ghc-prim
                      , stm               >= 2.3
+                     , iproute           >= 1.7.5
   if flag(network-uri)
     build-depends: network >= 2.6, network-uri >= 2.6
   else
diff --git a/test-nonet/Network/HTTP/Client/CookieSpec.hs b/test-nonet/Network/HTTP/Client/CookieSpec.hs
--- a/test-nonet/Network/HTTP/Client/CookieSpec.hs
+++ b/test-nonet/Network/HTTP/Client/CookieSpec.hs
@@ -61,3 +61,16 @@
             when countsForEquiv $ cky `equivCookie` f cky `shouldBe` False
 
       check `mapM_` modifications
+
+    it "isPotentiallyTrustworthyOrigin" $ do
+      isPotentiallyTrustworthyOrigin True "" `shouldBe` True
+      let untrusty = ["example", "example.", "example.com", "foolocalhost", "1.1.1.1", "::1", "[::2]"]
+          trusty =
+            [ "127.0.0.1", "127.0.0.2", "127.127.127.127"
+            , "[::1]", "[0:0:0:0:0:0:0:1]"
+            , "localhost", "localhost."
+            , "a.b.c.localhost", "a.b.c.localhost."
+            ]
+      or (map (isPotentiallyTrustworthyOrigin False) untrusty) `shouldBe` False
+      and (map (isPotentiallyTrustworthyOrigin False) trusty) `shouldBe` True
+
