Enforce limits on the size (in bytes) of cookies set by HTTP responses (Set-Cookie header) and via JS APIs (document.cookie and CookieStore).

Motivation

RFC 6265bis has long suggested a limit on cookie sizes, but different user agents have implemented limits in subtly different ways, creating interoperability issues and providing a browser fingerprinting mechanism. After the spec change corresponding to this Intent, user agents are now required to limit the sum of the lengths of the cookie's name and value to 4096 bytes, and limit the length of each cookie attribute value to 1024 bytes. Any attempt to set a cookie exceeding the name+value limit is rejected, and any cookie attribute exceeding the attribute length limit is ignored.

Specification

Specification link


Specification currently under development in a Working Group

Status in Chromium

Internals>Network>Cookies


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signals

Owners

Intent to Prototype url

Intent to Prototype thread

Search tags

cookies,

Last updated on 2021-11-13