Enforce limits on the size (in bytes) of cookies set by HTTP responses (Set-Cookie header) and via JS APIs (document.cookie and CookieStore).


RFC 6265bis has long suggested a limit on cookie sizes, but different user agents have implemented limits in subtly different ways, creating interoperability issues and providing a browser fingerprinting mechanism. After the spec change corresponding to this Intent, user agents are now required to limit the sum of the lengths of the cookie's name and value to 4096 bytes, and limit the length of each cookie attribute value to 1024 bytes. Any attempt to set a cookie exceeding the name+value limit is rejected, and any cookie attribute exceeding the attribute length limit is ignored.


Specification link

Specification currently under development in a Working Group

Status in Chromium


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signals


Intent to Prototype url

Intent to Prototype thread

Search tags


Last updated on 2022-02-27