There are cases where it's important to distinguish on the server side between cookies that were set by the server and ones that were set by the client. One such case is cookies that are normally always set by the server, unless some unexpected code (an XSS exploit, a malicious extension, a commit from a confused developer, etc.) happens to set them on the client. This proposal add a signal that would enable servers to make such a distinction. More specifically, it defines the __Http and __HostHttp prefixes, that make sure that a cookie is not set on the client side using script.
Server operators need to ensure that certain cookies that they receive were indeed set by them, and not by a malicious/compromised script. the httpOnly cookie attribute helps them ensure that the cookies they set won't be read on the client, but an attacker can still set a similarly-named cookie on the client. The __Http cookie name prefix would enable servers to know that the cookie was not set on the client, but was set using HTTP headers.