Setting cookies with <meta http-equiv> is no longer allowed

Published: | Categories: HTML, Privacy & Security


The HTML <meta> element provides an equivalent ability to sending certain HTTP response headers via the http-equiv attribute, which can even be used to set new cookies or override existing cookies.

<meta http-equiv="Set-Cookie" content="key=value">

In an effort to mitigate the risk of cross-site scripting (XSS) attacks, this legacy behaviour has been removed from the latest HTML spec and Firefox 68. Google Chrome 65 has already dropped the support in March 2018.

Web developers are encouraged to use the standard Set-Cookie HTTP header with the HttpOnly, Secure and SameSite directives to increase security.