Updates how control characters in cookies set via JavaScript are handled. Specifically, all control characters cause the entire cookie to be rejected (previously a NULL character, a carriage return character, or a line feed character in a cookie line caused it to be truncated instead of rejected entirely, which could have enabled malicious behavior in certain circumstances). This behavior aligns Chrome with the behavior indicated by the latest drafts of RFC6265bis. This change can be disabled using the `--disable-features=BlockTruncatedCookies` or the BlockTruncatedCookies enterprise policy, which will exist for several milestones in case this change causes any breakage.
In the case where attacker controlled data is used to set a new cookie, having certain control characters truncate the cookie line could result in security-related cookie attributes being ignored. This behavior may also lead to cookie data corruption when control characters are introduced, which may cause unpredictable behavior on the application side (more so than cookies not being set, which is a case that applications should already handle). This change helps mitigate these concerns, and better aligns the behavior against the spec.
Explainers: https://github.com/httpwg/http-extensions/issues/1531 https://github.com/httpwg/http-extensions/pull/1589