<?xml version="1.0" encoding="utf-8"?>
<!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
<rfc version="3" ipr="trust200902" docName="draft-jones-httpbis-cookie-preference-00" submissionType="IETF" category="std" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" consensus="true">

<front>
<title abbrev="Cookie-Preference">The Cookie-Preference HTTP Header Field</title><seriesInfo value="draft-jones-httpbis-cookie-preference-00" status="standard" name="Internet-Draft"></seriesInfo>
<author initials="P." surname="Jones" fullname="Paul Jones"><organization>Terrapane Corporation</organization><address><postal><street>5448 Apex Peakway #121</street>
<city>Apex</city>
<code>27502</code>
<country>USA</country>
<region>North Carolina</region>
</postal><email>paulej@packetizer.com</email>
<uri>https://paulej.com/</uri>
</address></author>
<author initials="M. A." surname="Ramalho" fullname="Michael A Ramalho"><organization>AcousticComms Consulting</organization><address><postal><street>6310 Watercrest Way Unit 203</street>
<city>Lakewood Ranch</city>
<code>34202-5122</code>
<country>USA</country>
<region>Florida</region>
</postal><email>mar42@cornell.edu</email>
<uri>https://ramalho.us/</uri>
</address></author>
<date/>
<area>Internet</area>
<workgroup></workgroup>
<keyword>HTTP</keyword>
<keyword>Cookies</keyword>
<keyword>Privacy</keyword>

<abstract>
<t>This document specifies a new HTTP request header field, &quot;Cookie-Preference&quot;,
that enables user agents to communicate the user's preferred cookie disposition
(e.g., accept all, accept essential only, reject all, or ask) to web servers.
By conveying this preference upfront, the header can facilitate a more seamless
browsing experience while respecting user privacy choices and reducing reliance
on per-site consent dialogs.</t>
</abstract>

</front>

<middle>

<section anchor="introduction"><name>Introduction</name>
<t>Concerns over Internet privacy have led websites to present users with
mechanisms for expressing cookie <xref target="RFC6265"></xref> handling preferences. Although these
mechanisms are intended to respect user choices, the inconsistent and repetitive
nature of per-site consent dialogs across the Internet results in a degraded
browsing experience for users.</t>
<t>In practice, most websites offer a similar set of options: accept all cookies,
reject all cookies, or accept only essential cookies (with some also supporting
more granular controls or &quot;ask me&quot; modes). Given this convergence, a more
efficient approach would allow user agents to signal the user's preferred cookie
disposition directly to servers via a standardized HTTP <xref target="RFC9110"></xref> request
header field. This preference could be configured globally by the user or on a
per-origin basis within the user agent.</t>
<t>This document defines such a header field, &quot;Cookie-Preference&quot;, to enable this
signaling.</t>
</section>

<section anchor="conventions-used-in-this-document"><name>Conventions Used In This Document</name>
<t>The key words &quot;<bcp14>MUST</bcp14>&quot;, &quot;<bcp14>MUST NOT</bcp14>&quot;, &quot;<bcp14>REQUIRED</bcp14>&quot;, &quot;<bcp14>SHALL</bcp14>&quot;,
&quot;<bcp14>SHALL NOT</bcp14>&quot;, &quot;<bcp14>SHOULD</bcp14>&quot;, &quot;<bcp14>SHOULD NOT</bcp14>&quot;, &quot;<bcp14>RECOMMENDED</bcp14>&quot;,
&quot;<bcp14>NOT RECOMMENDED</bcp14>&quot;, &quot;<bcp14>MAY</bcp14>&quot;, and &quot;<bcp14>OPTIONAL</bcp14>&quot; in this document are to be
interpreted as described in BCP 14 <xref target="RFC2119"></xref> <xref target="RFC8174"></xref> when, and only when,
they appear in all capitals, as shown here.</t>
</section>

<section anchor="motivation"><name>Motivation</name>
<t>The widespread adoption of per-site cookie consent dialogs, while driven by
privacy regulations such as the EU's ePrivacy Directive and GDPR, has created
significant user experience friction. Users frequently encounter repetitive,
variably designed prompts asking for the same basic choices: accept all cookies,
reject all (or non-essential), accept only essential cookies, or manage granular
settings. These dialogs often interrupt browsing flow, lead to decision fatigue,
and result in inconsistent application across sites due to differing
implementations and Consent Management Platforms.</t>
<t>Previous proposals for HTTP, such as the historical &quot;DNT&quot; (Do Not Track) header
<xref target="I-D.mayer-do-not-track"></xref> (which focused narrowly on tracking preferences and
saw limited adoption), and more recent mechanisms like Sec-GPC (Global Privacy
Control) <xref target="W3C.WD-gpc-20250116"></xref> (which signals opt-out from
data selling/sharing), address specific aspects of online tracking but do not
provide a comprehensive way to express general cookie acceptance preferences.
They lack direct support for common dispositions like &quot;accept essential only&quot;
or &quot;ask&quot; modes that align with today's consent banner patterns.</t>
<t>This document proposes the &quot;Cookie-Preference&quot; request header field to fill this
gap by offering a standardized, machine-readable signal from the user agent to
the origin server. The header conveys the user's configured preference for
cookie handling upfront in HTTP requests. Servers can use this signal to
adapt their behavior by, for example, omitting non-essential Set-Cookie
<xref target="RFC6265"></xref> headers when the preference is &quot;essential&quot; or &quot;none,&quot; thereby
potentially avoiding or simplifying consent dialogs while still respecting user
choices. A secondary motivation for this draft is to encourage a standardized
way to convey the user's cookie preference thereby discouraging user agent
specific methods, as such user agent specific differences could create yet
another form of user experience friction.</t>
<t>The mechanism is advisory: servers are encouraged but not required to honor the
preference, preserving compatibility and avoiding breakage for sites where
cookie functionality is essential. User agents retain control over when and
how to send the header (e.g., globally or per-origin), allowing flexibility
similar to existing privacy settings.</t>
</section>

<section anchor="the-cookie-preference-header-field"><name>The Cookie-Preference Header Field</name>
<t>The &quot;Cookie-Preference&quot; header field is a request header field that conveys the
user agent's configured preference for how cookies should be handled by the
origin server.</t>

<section anchor="syntax"><name>Syntax</name>
<t>Cookie-Preference is a Structured Header Field <xref target="RFC9651"></xref> whose value <bcp14>MUST</bcp14>
be a single Item (Section 3.3 of <xref target="RFC9651"></xref>).</t>
<t>Its ABNF <xref target="RFC5234"></xref> production is:</t>

<artwork>Cookie-Preference = sf-item
</artwork>
<t>The bare-item <bcp14>MUST</bcp14> be an sf-token (Section 3.3.4 of <xref target="RFC9651"></xref>) whose value
is one of the (case-insensitive) values in <xref target="cookie-table"></xref>.</t>
<table anchor="cookie-table"><name>Cookie-Preference Values
</name>
<thead>
<tr>
<th align="left">Value</th>
<th align="left">Meaning</th>
</tr>
</thead>

<tbody>
<tr>
<td align="left">all</td>
<td align="left">Accept all cookies, including non-essential ones</td>
</tr>

<tr>
<td align="left">essential</td>
<td align="left">Accept only strictly necessary cookies (e.g., session, auth, security)</td>
</tr>

<tr>
<td align="left">none</td>
<td align="left">Reject all cookies; server <bcp14>SHOULD NOT</bcp14> attempt to set cookies</td>
</tr>

<tr>
<td align="left">ask</td>
<td align="left">Request explicit or granular consent before setting non-essential cookies</td>
</tr>
</tbody>
</table><t>Additional token values <bcp14>MAY</bcp14> be defined in extensions or future registrations
in an IANA registry.</t>
<t>The Item <bcp14>MAY</bcp14> include Parameters (Section 3.1.2 of <xref target="RFC9651"></xref>) for
extensibility. Parameters follow the bare-item, separated by semicolons with
optional whitespace. Unrecognized parameters <bcp14>MUST</bcp14> be ignored by recipients.</t>
<t>The following are non-normative examples:</t>

<artwork>Cookie-Preference: essential

Cookie-Preference: all; level=&quot;high&quot;

Cookie-Preference: ask; granularity=&quot;category&quot;
</artwork>
<t>(Note: Parameters like &quot;level&quot; or &quot;granularity&quot; are illustrative only; their
semantics would need to be defined if registered or used in practice.)</t>
</section>

<section anchor="semantics"><name>Semantics</name>
<t>When present, the &quot;Cookie-Preference&quot; field signals the user's overall
preference for cookie acceptance on requests to the origin.</t>
<t>User agents <bcp14>SHOULD</bcp14> send this header on requests where cookie-setting
behavior is relevant (e.g., navigation requests or sub-resource loads that may
involve cookies). User agents <bcp14>MAY</bcp14> apply different values on a per-origin
basis (e.g., based on user-configured site-specific settings) or send a global
default.</t>
<t>Origin servers <bcp14>SHOULD</bcp14> inspect the parsed value of Cookie-Preference
(per the parsing algorithm in Section 4 of <xref target="RFC9651"></xref>) and adjust their
cookie-setting behavior accordingly (refer to <xref target="server-behavior"></xref>).</t>
<t>The preference is advisory: servers are not required to honor it, and user
agents <bcp14>MUST NOT</bcp14> rely on servers complying (e.g., they <bcp14>SHOULD</bcp14> still apply
client-side cookie blocking if configured). If parsing fails at the server or
the value is unrecognized, the entire field <bcp14>MUST</bcp14> be ignored
(per <xref target="RFC9651"></xref> error handling).</t>
</section>

<section anchor="server-behavior"><name>Server Behavior</name>
<t>Origin servers that understand the &quot;Cookie-Preference&quot; header field <bcp14>SHOULD</bcp14>
take it into account when deciding whether to include Set-Cookie headers in
responses, but they are not required to do so. The preference is advisory only;
servers <bcp14>MAY</bcp14> ignore it entirely if honoring it would break site
functionality, violate other policies, or would be problematic for any other
reason.</t>
<t>When honoring the signaled preference:</t>

<ul>
<li>For &quot;essential&quot;, servers <bcp14>SHOULD</bcp14> limit Set-Cookie headers to those cookies
classified as strictly necessary (per definitions in relevant privacy
regulations or equivalent guidelines).</li>
<li>For &quot;none&quot;, servers <bcp14>SHOULD</bcp14> refrain from setting any cookies.</li>
<li>For &quot;ask&quot;, servers <bcp14>SHOULD</bcp14> restrict themselves to essential cookies and use
other mechanisms to solicit more specific user consent.</li>
<li>For &quot;all&quot;, servers <bcp14>MAY</bcp14> set cookies without restriction.</li>
</ul>
<t>Once a cookie has been successfully set (i.e., the Set-Cookie header was sent
and processed by the user agent), this document does not require or define any
mechanism for revoking or modifying it based on a subsequent Cookie-Preference
value. Cookie lifecycle and management remain governed by <xref target="RFC6265"></xref> (or its
successor) and user agent policies.</t>
<t>This document does not require or define any mechanism for revoking or modifying
cookies set as a result of a previous Cookie-Preference header. Cookie lifecycle
and management remain governed by <xref target="RFC6265"></xref> (or its successor) and user agent
policies.</t>
<t>Servers <bcp14>SHOULD NOT</bcp14> infer strong privacy commitments solely from this header
(e.g., it does not substitute for valid legal consent under applicable
regulations).</t>
</section>
</section>

<section anchor="iana-considerations"><name>IANA Considerations</name>
<t>This document registers the following entry in the &quot;Hypertext Transfer Protocol
(HTTP) Field Name Registry&quot; <xref target="RFC9110"></xref>:</t>

<ul>
<li>Field name: Cookie-Preference</li>
<li>Status: permanent</li>
<li>Specification document(s): this document (RFC-to-be)</li>
<li>Comments: This is a request header field that conveys user preferences for
        cookie handling. It uses Structured Field Values <xref target="RFC9651"></xref>.</li>
</ul>
<t>No additional IANA actions are requested at this time.</t>
</section>

<section anchor="security-considerations"><name>Security Considerations</name>
<t>The &quot;Cookie-Preference&quot; header field conveys user-configured preferences about
cookie handling, which inherently involves privacy-sensitive information.
Implementers must carefully consider the implications outlined below.</t>

<section anchor="fingerprinting-and-linkability"><name>Fingerprinting and Linkability</name>
<t>Sending the &quot;Cookie-Preference&quot; header field reveals information about the
user's privacy settings or attitudes toward cookies. Since the set of possible
values is small and discrete (&quot;all&quot;, &quot;essential&quot;, &quot;none&quot;, &quot;ask&quot;), and many user
agents may send the same default value, the header alone provides limited
entropy. However, when combined with other request information (e.g.,
User-Agent, Accept-Language, or other preference headers), it can contribute to
fingerprinting the user agent or linking requests across origins/sessions.
User agents <bcp14>SHOULD</bcp14> mitigate this by:</t>

<ul>
<li>Applying the same value globally unless the user explicitly configures
per-origin exceptions.</li>
<li>Omitting the header on requests where it is not relevant (e.g., cross-origin
sub-resource requests that do not involve cookie-setting).</li>
<li>Randomizing or varying non-essential headers when privacy is a concern
(though this is outside the scope of this document).</li>
</ul>
<t>Servers <bcp14>MUST NOT</bcp14> rely on this header as a reliable indicator of user
identity or linkability across requests without additional context.</t>
</section>

<section anchor="spoofing-and-non-compliance"><name>Spoofing and Non-Compliance</name>
<t>The header is sent by the user agent and can be trivially spoofed by clients,
extensions, or proxies. Servers <bcp14>SHOULD</bcp14> treat the preference as advisory only
and <bcp14>MUST NOT</bcp14> depend on it for security-critical decisions (e.g., assuming
&quot;essential&quot; means no tracking cookies are needed for compliance with law).</t>
<t>Conversely, user agents <bcp14>MUST NOT</bcp14> assume servers will honor the preference;
they <bcp14>SHOULD</bcp14> continue to apply client-side cookie blocking or restrictions
as configured by the user.</t>
</section>

<section anchor="interaction-with-legal-consent-requirements"><name>Interaction with Legal Consent Requirements</name>
<t>This document defines a technical signaling mechanism and does not define,
modify, or substitute for legal requirements related to obtaining valid consent
for cookies or similar state management technologies.</t>
<t>Servers remain fully responsible for complying with applicable laws regarding
cookie consent, notice, and choice. In particular:</t>

<ul>
<li>The presence of a &quot;Cookie-Preference&quot; header (or any specific value within it)
does not, by itself, constitute legally valid consent under frameworks
that require explicit, informed, and affirmative user action.</li>
<li>The absence of the header or reception of an unknown value does not
imply or grant permission to set cookies.</li>
</ul>
<t>However, when a user agent sends &quot;Cookie-Preference: all&quot; (or equivalent future
values indicating broad acceptance), servers <bcp14>MAY</bcp14> interpret this as the
user's expressed preference to accept cookies without further prompting,
especially in jurisdictions or contexts where opt-out signals are sufficient,
or where the user agent has already obtained and recorded consent on behalf of
the user. Servers <bcp14>SHOULD</bcp14> honor such signals where feasible by omitting
consent dialogs and setting cookies consistent with the indicated preference,
thereby improving user experience while still respecting applicable legal
obligations.</t>
<t>Likewise, when a user agent sends &quot;Cookie-Preference: essential&quot;, servers
<bcp14>MAY</bcp14> interpret this as the user's expressed preference to accept only
cookies that are essential for site operation. If additional cookies are
desired, the site <bcp14>MAY</bcp14> prompt the user to accept additional cookies.</t>
<t>This mechanism is intended to reduce reliance on repetitive per-site consent
dialogs by providing a standardized, upfront expression of user intent. User
agents and servers are encouraged to align their implementations with evolving
best practices and regulatory guidance regarding machine-readable preference
signals.</t>
</section>

<section anchor="general-guidance"><name>General Guidance</name>
<t>Implementers should consult <xref target="RFC6973"></xref> for broader privacy considerations in
protocol design, and Section 17 of <xref target="RFC9110"></xref> for general HTTP security guidance.
In particular, any future extensions that add parameters or new values to
&quot;Cookie-Preference&quot; <bcp14>SHOULD</bcp14> include their own privacy analysis.</t>
</section>
</section>

<section anchor="acknowledgments"><name>Acknowledgments</name>
<t>TBD</t>
</section>

</middle>

<back>
<references><name>Normative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6265.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9651.xml"/>
</references>
<references><name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml-ids/reference.I-D.mayer-do-not-track.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6973.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9110.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml-w3c/reference.W3C.WD-gpc-20250116.xml"/>
</references>

</back>

</rfc>
