Strict Secure Cookies

This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies. This does leave a carve out for cookie eviction, which still may cause the deletion of Secure cookies, but only after all non-Secure cookies are evicted.

Comments

Chrome supported this feature behind a flag starting in Chrome 52. In Chrome 58, it was enabled by default.

Documentation

Specification

Editor's draft

Status in Chromium

Blink


Enabled by default (launch bug) in:

  • Chrome for desktop release 58
  • Chrome for Android release 58
  • Opera release 45
  • Opera for Android release 45

Consensus & Standardization

  • Shipped
  • No public signals
  • No public signals
  • Positive

Owners

Last updated on 2017-06-14