Set-Cookie header: Path attribute: documentation of default behaviour missing #39288
Description
MDN URL
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie
What specific section or headline is this issue about?
Path attribute
What information was incorrect, unhelpful, or incomplete?
It would be helpful to specify the default behaviour of the Path attribute if it is omitted. It is not uncommon (but incorrect) to assume that it defaults to /.
What did you expect to see?
As per rfc6265, the Path attribute defaults to the path component of the request's URI:
The scope of each cookie is limited to a set of paths, controlled by
the Path attribute. If the server omits the Path attribute, the user
agent will use the "directory" of the request-uri's path component as
the default value. (See Section 5.1.4 for more details.)The user agent will include the cookie in an HTTP request only if the
path portion of the request-uri matches (or is a subdirectory of) the
cookie's Path attribute, where the %x2F ("/") character is
interpreted as a directory separator.Although seemingly useful for isolating cookies between different
paths within a given host, the Path attribute cannot be relied upon
for security (see Section 8).
Do you have any supporting links, references, or citations?
As, above, https://www.rfc-editor.org/rfc/rfc6265#section-4.1.2.4.
Here is an example of somebody who got confused by this, let alone yours truly.
Do you have anything more you want to share?
No response
MDN metadata
Page report details
- Folder:
en-us/web/http/reference/headers/set-cookie - MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie
- GitHub URL: https://github.com/mdn/content/blob/main/files/en-us/web/http/reference/headers/set-cookie/index.md
- Last commit: b540e82
- Document last modified: 2025-04-08T00:45:05.000Z