Setting cookies with <meta http-equiv> is no longer allowed

Published:

Categories: HTML, Privacy & Security

Releases: Firefox 68, Firefox 68 ESR

Description

The HTML <meta> element provides an equivalent ability to sending certain HTTP response headers via the http-equiv attribute, which can even be used to set new cookies or override existing cookies.

<meta http-equiv="Set-Cookie" content="key=value">

In an effort to mitigate the risk of cross-site scripting (XSS) attacks, this legacy behaviour has been removed from the latest HTML spec and Firefox 68. Google Chrome 65 has already dropped the support in March 2018.

Web developers are encouraged to use the standard Set-Cookie HTTP header with the HttpOnly, Secure and SameSite directives to increase security.

How can I test this?

This change can be tested with the compatibilty checker in our Firefox Developer Tools extension. Get it today!

References