The "Cookie prefix" adds restrictions to how cookies with two specific prefixes may be used. This addresses some of the Weak Confidentiality and Weak Integrity concerns noted by RFC 6265 ( https://tools.ietf.org/html/rfc6265#section-8.5).
Cookies whose names start with "__Secure-" or "__Host-" must have the "secure" flag and be set over a secure connection. In addition, cookies with the "__Host-" prefix must have a path attribute of "/" and must not have a "domain" attribute. The prefixes are ugly, but a name collision could break existing content; Google's testing and scanning so far have revealed no collisions. Implementation bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1283368 Proposed standard: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes Platforms: Desktop and Android. Target Release: Firefox 50 Since this is a proposed standard the best forum for discussion would be the public http mailing list https://lists.w3.org/Archives/Public/ietf-http-wg/ (subscription information available at that link) This is implemented in Chrome 49 and Opera 36 https://www.chromestatus.com/features/4952188392570880 Chrome's Intent to Ship discussion (which links to their Intent to implement): https://groups.google.com/a/chromium.org/forum/#!searchin/blink-dev/%22intent$20to%22$20cookie/blink-dev/ueCrrgFX8J4/3C8CN6gEAgAJ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
