standards-positions icon indicating copy to clipboard operation
standards-positions copied to clipboard

Published 20 hours ago verified publisher icon WebKit

__Http- and __HostHttp- cookie prefixes

Open yoavweiss opened this issue 4 months ago • 1 comments

WebKittens

@annevk

Title of the proposal

Http- cookie prefix

URL to the spec

https://github.com/httpwg/http-extensions/pull/3110

URL to the spec's repository

No response

Issue Tracker URL

No response

Explainer URL

No response

TAG Design Review URL

No response

Mozilla standards-positions issue URL

https://github.com/mozilla/standards-positions/issues/1256

WebKit Bugzilla URL

No response

Radar URL

No response

Description

There are cases where it's important to distinguish on the server side between cookies that were set by the server and ones that were set by the client.

One such case is cookies that are normally always set by the server, unless some unexpected code (an XSS exploit, a malicious extension, a commit from a confused developer, etc.) happens to set them on the client.

This proposal add a signal that would enable servers to make such a distinction.

https://github.com/httpwg/http-extensions/pull/3110 adds the Http- prefix. https://github.com/httpwg/http-extensions/issues/3111 is an ongoing discussion to determine if the combination of the Http and Host prefixes should be __HostHttp- or __Host_Http-.

yoavweiss avatar Jun 19 '25 12:06 yoavweiss