__Http- cookie prefix

Yoav Weiss · chromium-wpt-export-bot · commit b42bb20b09d9 · 2025-06-24T23:35:49.000-07:00
This CL implements the __Http- [1] cookie prefixes. They enable site operators to know that a certain cookie was issued with the HttpOnly attribute, and was not set by a malicious script on the client side. [1] httpwg/http-extensions#3110 Bug: 426096760 Change-Id: I13205747406a8b3c33bd9f0e60abd7526eb9490d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6638647 Reviewed-by: Maks Orlovich <morlovich@chromium.org> Reviewed-by: Chris Fredrickson <cfredric@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/main@{#1478348}
diff --git a/cookie-store/cookieStore_special_names.https.any.js b/cookie-store/cookieStore_special_names.https.any.js
@@ -54,6 +54,13 @@
   }, `cookieStore.set with ${prefix} prefix a path option`);
 });
 
+['__Http-', '__http-'].forEach(prefix => {
+  promise_test(async testCase => {
+    await promise_rejects_js(testCase, TypeError,
+        cookieStore.set({ name: `${prefix}cookie-name`, value: 'cookie-value'}));
+  }, `cookieStore.set with ${prefix} prefix rejects`);
+});
+
 promise_test(async testCase => {
     let exceptionThrown = false;
     try {
diff --git a/cookies/prefix/__Http.https.tentative.html b/cookies/prefix/__Http.https.tentative.html
@@ -0,0 +1,61 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/cookies/resources/cookie-helper.sub.js"></script>
+<script>
+  set_prefixed_cookie_via_dom_test({
+    prefix: "__Http-",
+    params: "Path=/",
+    shouldExistInDOM: false,
+    shouldExistViaHTTP: false,
+    title: "__Http: Does not set via DOM 'Path=/'"
+  });
+
+  set_prefixed_cookie_via_dom_test({
+    prefix: "__Http-",
+    params: "Secure; Path=/",
+    shouldExistInDOM: false,
+    shouldExistViaHTTP: false,
+    title: "__Http: Does not set via DOM 'Secure; Path=/'"
+  });
+
+  set_prefixed_cookie_via_dom_test({
+    prefix: "__Http-",
+    params: "Secure; Path=/;httponly",
+    shouldExistInDOM: false,
+    shouldExistViaHTTP: false,
+    title: "__Http: Does not set via DOM 'Secure; Path=/; httponly'"
+  });
+
+  set_prefixed_cookie_via_http_test({
+    prefix: "__Http-",
+    params: "Path=/",
+    shouldExistViaHTTP: false,
+    origin: self.origin,
+    title: "__Http: Does not set via HTTP with 'Path=/;' (without Secure)"
+  });
+
+  set_prefixed_cookie_via_http_test({
+    prefix: "__Http-",
+    params: "Secure;Path=/",
+    shouldExistViaHTTP: false,
+    origin: self.origin,
+    title: "__Http: Does not set via HTTP with 'Secure; Path=/'"
+  });
+
+  set_prefixed_cookie_via_http_test({
+    prefix: "__Http-",
+    params: "Secure;Path=/;httponly",
+    shouldExistViaHTTP: true,
+    origin: self.origin,
+    title: "__Http: Does set via HTTP with 'Secure; Path=/;httponly'"
+  });
+
+  set_prefixed_cookie_via_http_test({
+    prefix: "__Http-",
+    params: "Secure;Path=/cookies/;httponly",
+    shouldExistViaHTTP: true,
+    origin: self.origin,
+    title: "__Http: Does set via HTTP with 'Secure; Path=/cookies/;httponly'"
+  });
+</script>
