> because such a cookie is serialized (to be sent in a Cookie header) as "Foo=Bar", How come? Where has the first equals sign gone? Is that the same across browsers?
☆*PhistucK* On Thu, Jun 4, 2026 at 6:41 PM Lily Chen <[email protected]> wrote: > Hello blink-dev, > > This is a PSA that the following change to cookie parsing has shipped in > Chromium in M148: crrev.com/c/7698176 > > Summary: > > A cookie line of the form "=Foo=Bar; <attributes>" is now rejected in > parsing, both in HTTP Set-Cookie headers and JavaScript APIs such as > `document.cookie`. > > Details: > > Previously, a cookie line such as "=Foo=Bar" would be parsed as a cookie > with an empty name and a value "Foo=Bar". This cookie value is ambiguous, > because such a cookie is serialized (to be sent in a Cookie header) as > "Foo=Bar", which appears identical to a cookie whose name is "Foo" (with > value "Bar"). This is problematic when such an ambiguous cookie shadows a > different cookie that the server considers more privileged. > > A special case of this serialization ambiguity was previously addressed in > crbug.com/40060319 for cookie lines that might shadow "__Host-" and > "__Secure-" prefixed cookie names, by rejecting such cookies at creation > time. The present change applies the same approach to all such ambiguous > cookies: a cookie line whose first semicolon-delimited substring > (containing its name and value) begins with an equals sign and contains at > least one other equals sign will now be rejected at parsing time. > > Web compatibility and interoperability: > > The current prevalence of "=Foo=Bar" cookies is extremely rare: a > UseCounter > <https://chromestatus.com/metrics/feature/timeline/popularity/5772> shows > that about 0.00006% of page visits result in attempting to set such a > cookie. (On the other hand, cookies simply having an empty name are a > superset of these ambiguous "=Foo=Bar" cookies and are set on about 0.4% > of page visits > <https://chromestatus.com/metrics/feature/timeline/popularity/5771>. This > change does not affect cookies with an empty name that do not contain an > equals sign in their value.) > > We will follow up with proposed changes to specification text and Web > Platform Tests. > > Thanks, > > Lily > > o.b.o. Chromium //net/cookies maintainers > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE24OxxH6suOcDUpomtPTsQPUn_wWHHKO_Q%2BFJdcKsyLZujffw%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAE24OxxH6suOcDUpomtPTsQPUn_wWHHKO_Q%2BFJdcKsyLZujffw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABc02_KR%2B6_9jNnNNTQOuHxz%3DEJ9QhBALHhQzbv-RGD4HxtU0w%40mail.gmail.com.
