Enforce limits on the size (in bytes) of cookies set by HTTP responses (Set-Cookie header) and via JS APIs (document.cookie and CookieStore).


RFC 6265bis has long suggested a limit on cookie sizes, but different user agents have implemented limits in subtly different ways, creating interoperability issues and providing a browser fingerprinting mechanism. After the spec change corresponding to this Intent, user agents are now required to limit the sum of the lengths of the cookie's name and value to 4096 bytes, and limit the length of each cookie attribute value to 1024 bytes. Any attempt to set a cookie exceeding the name+value limit is rejected, and any cookie attribute exceeding the attribute length limit is ignored.


Specification link

Unknown standards status - check spec link for status

Status in Chromium


Proposed (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • No signals


Search tags


Last updated on 2021-09-14