This feature adds a set of restrictions upon the names which may be used for cookies with specific properties. These restrictions enable user agents to smuggle cookie state to the server within the confines of the existing "Cookie" request header syntax, and limits the ways in which cookies may be abused. In a nutshell: `__Secure-*` cookies have to have the `Secure` flag, and `__Host-*` cookies have to have `Path=/`, can't have `Domain`, and might require `Secure` (depending on the setter).

Demo

Specification

Specification link


Specification being incubated in a Community Group

Status in Chromium

Blink


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Owners

Search tags

cookies,

Last updated on 2020-11-09