How we built it

Strict Secure Cookies

This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies. This does leave a carve out for cookie eviction, which still may cause the deletion of Secure cookies, but only after all non-Secure cookies are evicted.



Editor's draft

Status in Chromium

Behind a flag (launch bug) in:

  • Chrome for desktop release 52
  • Chrome for Android release 52
  • Opera release 39
  • Opera for Android release 39

Consensus & Standardization

  • In development
  • No public signals
  • No public signals
  • Positive


Last updated on 2016-07-28