This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies. This does leave a carve out for cookie eviction, which still may cause the deletion of Secure cookies, but only after all non-Secure cookies are evicted.



Editor's draft

Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 58
  • Chrome for Android release 58

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Shipped/Shipping
  • No signal
  • No signal
  • Positive



Chrome supported this feature behind a flag starting in Chrome 52. In Chrome 58, it was enabled by default.

Last updated on 2020-11-09