__Host-cookie=value; Path=/; Expires=Fri, 11 Aug 2023 04:58:13 GMT; Max-Age=86399; HttpOnly; Secure; SameSite=Strict






有人看出我的cookie有什么问题吗? 英文:

I'm trying to leverage the cookie name prefix convention to get the browser to help me set secure cookies. My cookie is named __Host-cookie and it is set like this:

__Host-cookie=value; Path=/; Expires=Fri, 11 Aug 2023 04:58:13 GMT; Max-Age=86399; HttpOnly; Secure; SameSite=Strict

However Chrome refuses to set it and shows this error in the network log:

> This attempt to set a cookie via a Set-Cookie header was blocked because it used the "__Secure-" or "__Host-" prefix in its name and broke the additional rules applied to cookies with these prefixes as defined in https://datatracker.ietf.org/doc/html/draft-west-cookie-prefixes-05

The cookie itself seems fine to me. Only thing I can think of is that because I'm testing using a service running on my own machine, I'm setting the cookie from localhost and that maybe fails this requirement from the IETF docs
> Set from a URI whose "scheme" is considered "secure" by the user agent

I expected localhost to be exempt though since it's exempt from other conventions that require a secure host. For example Chrome will happily sent a cookie flagged Secure to a server running on http://localhost.

Does anyone see something wrong with my cookie?

> If a cookie's name begins with "__Host-", the cookie MUST be:
> 1. Set with a "Secure" attribute
> 2. Set from a URI whose "scheme" is considered "secure" by the user agent.
> 3. Sent only to the host which set the cookie. That is, a cookie named "__Host-cookie1" set from "https://example.com" MUST NOT contain a "Domain" attribute (and will therefore be sent only to "example.com", and not to "subdomain.example.com").
> 4. Sent to every request for a host. That is, a cookie named "__Host-cookie1" MUST contain a "Path" attribute with a value of "/".

In your case it violates rule 2 as http://localhost isn't secure

