Skip to main content

Deprecate modification of 'secure' cookies from non-secure origins

Document Type Replaced Internet-Draft (httpbis WG)
Expired & archived
Author Mike West
Last updated 2017-03-09 (Latest revision 2016-09-05)
Replaces draft-west-leave-secure-cookies-alone
Replaced by draft-ietf-httpbis-rfc6265bis
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-httpbis-rfc6265bis
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document updates RFC6265 by removing the ability for a non- secure origin to set cookies with a 'secure' flag, and to overwrite cookies whose 'secure' flag is set. This deprecation improves the isolation between HTTP and HTTPS origins, and reduces the risk of malicious interference.


Mike West

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)