Binds cookies to their setting origin (by default) such that they're only accessible by that origin. I.e., sent on a request or visible through `document.cookie` Cookies may ease the host and port binding restrictions through use of the `Domain` attribute but all cookies will be bound to their setting scheme.

Motivation

Cookies are not secure by default. A simple cookie `Set-Cookie: foo=bar` can be accessed by any scheme or port regardless whichever set it originally. This can lead to users' data leaking to attackers or allowing attackers to alter users' state. By only sending cookies back to the origins that set them (binding them to the origins) we can protect cookies (by default) from untrusted origins.

Status in Chromium

Blink>Network


Proposed (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • No signals

Owners

Comments

Based off of Mike West's Scheming Cookies.

Search tags

scheme bound cookies, scheme-bound cookies, origin bound cookies, origin-bound cookies, scheme bound cookie, scheme-bound cookie, origin bound cookie, origin-bound cookie, cookie, cookies,

Last updated on 2021-07-09