Internet-Draft Cookie-Preference July 2026
Jones & Ramalho Expires 7 January 2027 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-jones-httpbis-cookie-preference-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
P. Jones
Terrapane Corporation
M. A. Ramalho
AcousticComms Consulting

The Cookie-Preference HTTP Header Field

Abstract

This document specifies a new HTTP request header field, "Cookie-Preference", that enables user agents to communicate the user's preferred cookie disposition (e.g., accept all, accept essential only, reject all, or ask) to web servers. By conveying this preference upfront, the header can facilitate a more seamless browsing experience while respecting user privacy choices and reducing reliance on per-site consent dialogs.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2027.

Table of Contents

1. Introduction

Concerns over Internet privacy have led websites to present users with mechanisms for expressing cookie [RFC6265] handling preferences. Although these mechanisms are intended to respect user choices, the inconsistent and repetitive nature of per-site consent dialogs across the Internet results in a degraded browsing experience for users.

In practice, most websites offer a similar set of options: accept all cookies, reject all cookies, or accept only essential cookies (with some also supporting more granular controls or "ask me" modes). Given this convergence, a more efficient approach would allow user agents to signal the user's preferred cookie disposition directly to servers via a standardized HTTP [RFC9110] request header field. This preference could be configured globally by the user or on a per-origin basis within the user agent.

This document defines such a header field, "Cookie-Preference", to enable this signaling.

2. Conventions Used In This Document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Motivation

The widespread adoption of per-site cookie consent dialogs, while driven by privacy regulations such as the EU's ePrivacy Directive and GDPR, has created significant user experience friction. Users frequently encounter repetitive, variably designed prompts asking for the same basic choices: accept all cookies, reject all (or non-essential), accept only essential cookies, or manage granular settings. These dialogs often interrupt browsing flow, lead to decision fatigue, and result in inconsistent application across sites due to differing implementations and Consent Management Platforms.

Previous proposals for HTTP, such as the historical "DNT" (Do Not Track) header [I-D.mayer-do-not-track] (which focused narrowly on tracking preferences and saw limited adoption), and more recent mechanisms like Sec-GPC (Global Privacy Control) [W3C.WD-gpc-20250116] (which signals opt-out from data selling/sharing), address specific aspects of online tracking but do not provide a comprehensive way to express general cookie acceptance preferences. They lack direct support for common dispositions like "accept essential only" or "ask" modes that align with today's consent banner patterns.

This document proposes the "Cookie-Preference" request header field to fill this gap by offering a standardized, machine-readable signal from the user agent to the origin server. The header conveys the user's configured preference for cookie handling upfront in HTTP requests. Servers can use this signal to adapt their behavior by, for example, omitting non-essential Set-Cookie [RFC6265] headers when the preference is "essential" or "none," thereby potentially avoiding or simplifying consent dialogs while still respecting user choices. A secondary motivation for this draft is to encourage a standardized way to convey the user's cookie preference thereby discouraging user agent specific methods, as such user agent specific differences could create yet another form of user experience friction.

The mechanism is advisory: servers are encouraged but not required to honor the preference, preserving compatibility and avoiding breakage for sites where cookie functionality is essential. User agents retain control over when and how to send the header (e.g., globally or per-origin), allowing flexibility similar to existing privacy settings.

5. IANA Considerations

This document registers the following entry in the "Hypertext Transfer Protocol (HTTP) Field Name Registry" [RFC9110]:

No additional IANA actions are requested at this time.

6. Security Considerations

The "Cookie-Preference" header field conveys user-configured preferences about cookie handling, which inherently involves privacy-sensitive information. Implementers must carefully consider the implications outlined below.

6.1. Fingerprinting and Linkability

Sending the "Cookie-Preference" header field reveals information about the user's privacy settings or attitudes toward cookies. Since the set of possible values is small and discrete ("all", "essential", "none", "ask"), and many user agents may send the same default value, the header alone provides limited entropy. However, when combined with other request information (e.g., User-Agent, Accept-Language, or other preference headers), it can contribute to fingerprinting the user agent or linking requests across origins/sessions. User agents SHOULD mitigate this by:

  • Applying the same value globally unless the user explicitly configures per-origin exceptions.
  • Omitting the header on requests where it is not relevant (e.g., cross-origin sub-resource requests that do not involve cookie-setting).
  • Randomizing or varying non-essential headers when privacy is a concern (though this is outside the scope of this document).

Servers MUST NOT rely on this header as a reliable indicator of user identity or linkability across requests without additional context.

6.2. Spoofing and Non-Compliance

The header is sent by the user agent and can be trivially spoofed by clients, extensions, or proxies. Servers SHOULD treat the preference as advisory only and MUST NOT depend on it for security-critical decisions (e.g., assuming "essential" means no tracking cookies are needed for compliance with law).

Conversely, user agents MUST NOT assume servers will honor the preference; they SHOULD continue to apply client-side cookie blocking or restrictions as configured by the user.

6.4. General Guidance

Implementers should consult [RFC6973] for broader privacy considerations in protocol design, and Section 17 of [RFC9110] for general HTTP security guidance. In particular, any future extensions that add parameters or new values to "Cookie-Preference" SHOULD include their own privacy analysis.

7. Acknowledgments

TBD

8. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC5234]
Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/RFC5234, , <https://www.rfc-editor.org/info/rfc5234>.
[RFC6265]
Barth, A., "HTTP State Management Mechanism", RFC 6265, DOI 10.17487/RFC6265, , <https://www.rfc-editor.org/info/rfc6265>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.
[RFC9651]
Nottingham, M. and P. Kamp, "Structured Field Values for HTTP", RFC 9651, DOI 10.17487/RFC9651, , <https://www.rfc-editor.org/info/rfc9651>.

9. Informative References

[I-D.mayer-do-not-track]
Mayer, J., Narayanan, A., and S. Stamm, "Do Not Track: A Universal Third-Party Web Tracking Opt Out", Work in Progress, Internet-Draft, draft-mayer-do-not-track-00, , <https://datatracker.ietf.org/doc/html/draft-mayer-do-not-track-00>.
[RFC6973]
Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M., and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, DOI 10.17487/RFC6973, , <https://www.rfc-editor.org/info/rfc6973>.
[RFC9110]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, , <https://www.rfc-editor.org/info/rfc9110>.
[W3C.WD-gpc-20250116]
Zucker-Scharff, A., Ed., Brookman, J., Ed., Snyder, P., Ed., and S. Zimmeck, Ed., "Global Privacy Control (GPC)", W3C WD WD-gpc-20250116, W3C WD-gpc-20250116, , <https://www.w3.org/TR/2025/WD-gpc-20250116/>.

Authors' Addresses

Paul Jones
Terrapane Corporation
5448 Apex Peakway #121
Apex, North Carolina 27502
United States of America
Michael A Ramalho
AcousticComms Consulting
6310 Watercrest Way Unit 203
Lakewood Ranch, Florida 34202-5122
United States of America