Setting cookies with <meta http-equiv> will no longer be allowed

Published: | Categories: HTML, Privacy & Security

Description

The HTML <meta> element provides an equivalent ability to sending certain HTTP response headers via the http-equiv attribute, which can even be used to set new cookies or override existing cookies.

<meta http-equiv="Set-Cookie" content="key=value">

In an effort to mitigate the risk of cross-site scripting (XSS) attacks, this legacy behaviour has been removed from the latest HTML spec. Google Chrome 65 has already dropped the support in March 2018, and Firefox will follow soon.

Web developers are encouraged to use the standard Set-Cookie HTTP header with the HttpOnly, Secure and SameSite directives to increase security.

References