Re: _HttpOnly cookie prefix?

I've put together an I-D
<https://yoavweiss.github.io/httponly_prefix/draft-httponlyprefix-weiss-http.html>
to
propose this more officially. I'd love feedback on it.

On Thu, Feb 20, 2025 at 9:17 AM Yoav Weiss <yoav.weiss@shopify.com> wrote:

>
>
> On Wed, Feb 19, 2025 at 3:16 PM Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
>> On Wed, Feb 19, 2025 at 2:11 PM Yoav Weiss <yoav.weiss@shopify.com>
>> wrote:
>> > Looking at the current prefixes, it might be fitting to add an
>> "__HttpOnly" prefix that would have the following semantics:
>> > * The cookie is rejected if it's set as a client-side cookie, rather
>> than through a `Set-Cookie` header
>> > * The cookie is rejected if it's set without an "HttpOnly" attribute
>> >
>> > Does this make rough sense?
>>
>> At the very least it should minimally enforce __Secure- semantics,
>
>
> Makes sense!
>
>
>> but
>> this raises the question of what should happen if you also want to
>> enforce __Host-.
>
>
> Dan enumerated some options. I like `__HostHttpOnly` for that case.
>
>
>> And also what adoption of these prefixes has been
>> thus far.
>
>
> Looking at the HTTPArchive for November 2024, we see 840008577 responses
> with "Set-Cookie" headers and a "__Secure" in their value, out of
> 5307965614 responses overall.
> That's roughly 15.8%. So I'd say this is pretty widely used.
>
> Because if it's very low it's a bit unclear if we should
>> continue to invest in them as they do require checks all over the
>> place.
>>
>
> At least in Chromium the checks seem pretty well-contained
> <https://source.chromium.org/chromium/chromium/src/+/main:net/cookies/cookie_util.cc;l=744;drc=8b7ec5d99ad2d76762011a50ed1c14d754e3ff5f;bpv=1;bpt=1>
> .
>

I was wrong and there's at least some duplication of the related logic
<https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/cookie_store/cookie_store.cc;l=94?q=host&ss=chromium%2Fchromium%2Fsrc:third_party%2Fblink%2Frenderer%2Fmodules%2Fcookie_store%2F>
.


>
>