- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 19 Feb 2025 15:16:42 +0100
- To: Yoav Weiss <yoav.weiss@shopify.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>, Johann Hofmann <johannhof@google.com>, Matt Metzger <matthew.metzger@shopify.com>
On Wed, Feb 19, 2025 at 2:11 PM Yoav Weiss <yoav.weiss@shopify.com> wrote: > Looking at the current prefixes, it might be fitting to add an "__HttpOnly" prefix that would have the following semantics: > * The cookie is rejected if it's set as a client-side cookie, rather than through a `Set-Cookie` header > * The cookie is rejected if it's set without an "HttpOnly" attribute > > Does this make rough sense? At the very least it should minimally enforce __Secure- semantics, but this raises the question of what should happen if you also want to enforce __Host-. And also what adoption of these prefixes has been thus far. Because if it's very low it's a bit unclear if we should continue to invest in them as they do require checks all over the place.
Received on Wednesday, 19 February 2025 14:17:00 UTC