It is also for me, I use https with a certificate. And my webmail is much simpler than gmail which could open other unencrypted page. Even if this is the case, cookies should only be accessible from the site that created it.
In theory