Enforce limits on the size (in bytes) of cookies set by HTTP responses (Set-Cookie header) and via JS APIs (document.cookie and CookieStore).
Motivation
RFC 6265bis has long suggested a limit on cookie sizes, but different user agents have implemented limits in subtly different ways, creating interoperability issues and providing a browser fingerprinting mechanism. After the spec change corresponding to this Intent, user agents are now required to limit the sum of the lengths of the cookie's name and value to 4096 bytes, and limit the length of each cookie attribute value to 1024 bytes. Any attempt to set a cookie exceeding the name+value limit is rejected, and any cookie attribute exceeding the attribute length limit is ignored.
Specification
Specification currently under development in a Working Group
Status in Chromium
Enabled by default
(tracking bug)
Consensus & Standardization
- No signal
- No signal
- No signals
Owners
Intent to Prototype url
Intent to Prototype threadSearch tags
cookies,Last updated on 2022-02-27