+net-dev and security-dev via BCC.
Link to “Intent to Implement” blink-dev discussion
Is this feature supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
The syntax is backwards compatible with existing cookie syntax and flags. There is a risk that existing sites might already use the __Secure or __Host prefixes on their cookies and those sites would break when we ship this change. Our telemetry from Canary and Dev does not show any uses of those prefixes, though.
We can't implement this on iOS because we don't have control over either the cookie store or the network stack.
OWP launch tracking bug? https://crbug.com/541511
Link to entry on the feature dashboard: https://www.chromestatus.com/features/4952188392570880
how does this interact with document.cookie? Can a document that has
modified document.domain set __Host cookies? Can an insecure page set
(sorry .. a quick grep didn't find anything in the intent to implement
or in the draft)
Just confirming what Mike said about the slow rollout. Based on our measurements, we think Strict Secure should be OK to rollout, but we want to just make sure there isn't any surprise breakage.