Deprecate nonsecurely delivered cookies.

Cookies sent over plaintext HTTP are visible to anyone on the network. This visibility exposes substantial amounts of data to network attackers (passive or active). We know, for example, that long-lived and stable cookies have enabled pervasive monitoring in the past (see Google's PREF cookie), and we know that HTTPS provides significant confidentiality protections against this kind of attack. Over time, we should mitigate this risk by capping the lifetime of cookies delivered over HTTP.

Specification

Editor's draft

Status in Chromium

Internals>Network>Cookies


Proposed (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signal
  • No signals

Owners

Last updated on 2020-10-25