Re: _HttpOnly cookie prefix? from Yoav Weiss on 2025-02-20 (ietf-http-wg@w3.org from January to March 2025)

From: Yoav Weiss <yoav.weiss@shopify.com>
Date: Thu, 20 Feb 2025 09:17:06 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Johann Hofmann <johannhof@google.com>, Matt Metzger <matthew.metzger@shopify.com>
Message-ID: <CALYmMac4DjH2CZmP8Dzpbv59kzy=7uuRitHXc9rgW2ZSGc+W3w@mail.gmail.com>

On Wed, Feb 19, 2025 at 3:16 PM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Feb 19, 2025 at 2:11 PM Yoav Weiss <yoav.weiss@shopify.com> wrote:
> > Looking at the current prefixes, it might be fitting to add an
> "__HttpOnly" prefix that would have the following semantics:
> > * The cookie is rejected if it's set as a client-side cookie, rather
> than through a `Set-Cookie` header
> > * The cookie is rejected if it's set without an "HttpOnly" attribute
> >
> > Does this make rough sense?
>
> At the very least it should minimally enforce __Secure- semantics,

Makes sense!

> but
> this raises the question of what should happen if you also want to
> enforce __Host-.

Dan enumerated some options. I like `__HostHttpOnly` for that case.

> And also what adoption of these prefixes has been
> thus far.

Looking at the HTTPArchive for November 2024, we see 840008577 responses
with "Set-Cookie" headers and a "__Secure" in their value, out of
5307965614 responses
overall.
That's roughly 15.8%. So I'd say this is pretty widely used.

Because if it's very low it's a bit unclear if we should
> continue to invest in them as they do require checks all over the
> place.
>

At least in Chromium the checks seem pretty well-contained
<https://source.chromium.org/chromium/chromium/src/+/main:net/cookies/cookie_util.cc;l=744;drc=8b7ec5d99ad2d76762011a50ed1c14d754e3ff5f;bpv=1;bpt=1>
.

Received on Thursday, 20 February 2025 08:17:21 UTC