Cookie Prefixes

This feature adds a set of restrictions upon the names which may be used for cookies with specific properties. These restrictions enable user agents to smuggle cookie state to the server within the confines of the existing "Cookie" request header syntax, and limits the ways in which cookies may be abused. In a nutshell: `__Secure-*` cookies have to have the `Secure` flag, and `__Host-*` cookies have to have `Path=/`, can't have `Domain`, and might require `Secure` (depending on the setter).

Demo

• https://googlechrome.github.io/samples/cookie-prefixes/index.html

Specification

Editor's draft

Status in Chromium

Blink components: Blink

Enabled by default (launch bug) in:

• Chrome for desktop release 49
• Chrome for Android release 49
• Opera release 36
• Opera for Android release 36

Consensus & Standardization

• Firefox: Shipped
• Edge: No public signals
• Safari: No public signals
• Web Developers: Mixed signals

Owners

• estark@chromium.org
• mkwst@chromium.org

Last updated on 2017-06-14