__Host-Http- and __Http- cookie name prefixes

[yoavweiss]

WebKittens

@annevk

Title of the proposal

__Host-Http- and __Http- cookie name prefixes

URL to the spec

httpwg/http-extensions#3110

URL to the spec's repository

No response

Issue Tracker URL

No response

Explainer URL

No response

TAG Design Review URL

No response

Mozilla standards-positions issue URL

mozilla/standards-positions#1256

WebKit Bugzilla URL

No response

Radar URL

No response

Description

There are cases where it's important to distinguish on the server side between cookies that were set by the server and ones that were set by the client.

One such case is cookies that are normally always set by the server, unless some unexpected code (an XSS exploit, a malicious extension, a commit from a confused developer, etc.) happens to set them on the client.

This proposal add a signal that would enable servers to make such a distinction.

httpwg/http-extensions#3110 adds the Http- prefix.
httpwg/http-extensions#3111 is an ongoing discussion to determine if the combination of the Http and Host prefixes should be __HostHttp- or __Host_Http-.

[annevk]

I discussed this with colleagues and we suggest resolving this as "position: support" one week from now. To be more clear than is probably warranted, support is limited to the __Http- and __HostHttp- prefixes and not any possible future expansions.

[yoavweiss]

Please note plans to rename __HostHttp- to Host-Http- to make it easier to deploy before support is ubiquitous, without losing the __Host- semantics.