| Internet-Draft | Cookie-Preference | July 2026 |
| Jones & Ramalho | Expires 7 January 2027 | [Page] |
This document specifies a new HTTP request header field, "Cookie-Preference", that enables user agents to communicate the user's preferred cookie disposition (e.g., accept all, accept essential only, reject all, or ask) to web servers. By conveying this preference upfront, the header can facilitate a more seamless browsing experience while respecting user privacy choices and reducing reliance on per-site consent dialogs.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Concerns over Internet privacy have led websites to present users with mechanisms for expressing cookie [RFC6265] handling preferences. Although these mechanisms are intended to respect user choices, the inconsistent and repetitive nature of per-site consent dialogs across the Internet results in a degraded browsing experience for users.¶
In practice, most websites offer a similar set of options: accept all cookies, reject all cookies, or accept only essential cookies (with some also supporting more granular controls or "ask me" modes). Given this convergence, a more efficient approach would allow user agents to signal the user's preferred cookie disposition directly to servers via a standardized HTTP [RFC9110] request header field. This preference could be configured globally by the user or on a per-origin basis within the user agent.¶
This document defines such a header field, "Cookie-Preference", to enable this signaling.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The widespread adoption of per-site cookie consent dialogs, while driven by privacy regulations such as the EU's ePrivacy Directive and GDPR, has created significant user experience friction. Users frequently encounter repetitive, variably designed prompts asking for the same basic choices: accept all cookies, reject all (or non-essential), accept only essential cookies, or manage granular settings. These dialogs often interrupt browsing flow, lead to decision fatigue, and result in inconsistent application across sites due to differing implementations and Consent Management Platforms.¶
Previous proposals for HTTP, such as the historical "DNT" (Do Not Track) header [I-D.mayer-do-not-track] (which focused narrowly on tracking preferences and saw limited adoption), and more recent mechanisms like Sec-GPC (Global Privacy Control) [W3C.WD-gpc-20250116] (which signals opt-out from data selling/sharing), address specific aspects of online tracking but do not provide a comprehensive way to express general cookie acceptance preferences. They lack direct support for common dispositions like "accept essential only" or "ask" modes that align with today's consent banner patterns.¶
This document proposes the "Cookie-Preference" request header field to fill this gap by offering a standardized, machine-readable signal from the user agent to the origin server. The header conveys the user's configured preference for cookie handling upfront in HTTP requests. Servers can use this signal to adapt their behavior by, for example, omitting non-essential Set-Cookie [RFC6265] headers when the preference is "essential" or "none," thereby potentially avoiding or simplifying consent dialogs while still respecting user choices. A secondary motivation for this draft is to encourage a standardized way to convey the user's cookie preference thereby discouraging user agent specific methods, as such user agent specific differences could create yet another form of user experience friction.¶
The mechanism is advisory: servers are encouraged but not required to honor the preference, preserving compatibility and avoiding breakage for sites where cookie functionality is essential. User agents retain control over when and how to send the header (e.g., globally or per-origin), allowing flexibility similar to existing privacy settings.¶
This document registers the following entry in the "Hypertext Transfer Protocol (HTTP) Field Name Registry" [RFC9110]:¶
No additional IANA actions are requested at this time.¶
The "Cookie-Preference" header field conveys user-configured preferences about cookie handling, which inherently involves privacy-sensitive information. Implementers must carefully consider the implications outlined below.¶
Sending the "Cookie-Preference" header field reveals information about the user's privacy settings or attitudes toward cookies. Since the set of possible values is small and discrete ("all", "essential", "none", "ask"), and many user agents may send the same default value, the header alone provides limited entropy. However, when combined with other request information (e.g., User-Agent, Accept-Language, or other preference headers), it can contribute to fingerprinting the user agent or linking requests across origins/sessions. User agents SHOULD mitigate this by:¶
Servers MUST NOT rely on this header as a reliable indicator of user identity or linkability across requests without additional context.¶
The header is sent by the user agent and can be trivially spoofed by clients, extensions, or proxies. Servers SHOULD treat the preference as advisory only and MUST NOT depend on it for security-critical decisions (e.g., assuming "essential" means no tracking cookies are needed for compliance with law).¶
Conversely, user agents MUST NOT assume servers will honor the preference; they SHOULD continue to apply client-side cookie blocking or restrictions as configured by the user.¶
This document defines a technical signaling mechanism and does not define, modify, or substitute for legal requirements related to obtaining valid consent for cookies or similar state management technologies.¶
Servers remain fully responsible for complying with applicable laws regarding cookie consent, notice, and choice. In particular:¶
However, when a user agent sends "Cookie-Preference: all" (or equivalent future values indicating broad acceptance), servers MAY interpret this as the user's expressed preference to accept cookies without further prompting, especially in jurisdictions or contexts where opt-out signals are sufficient, or where the user agent has already obtained and recorded consent on behalf of the user. Servers SHOULD honor such signals where feasible by omitting consent dialogs and setting cookies consistent with the indicated preference, thereby improving user experience while still respecting applicable legal obligations.¶
Likewise, when a user agent sends "Cookie-Preference: essential", servers MAY interpret this as the user's expressed preference to accept only cookies that are essential for site operation. If additional cookies are desired, the site MAY prompt the user to accept additional cookies.¶
This mechanism is intended to reduce reliance on repetitive per-site consent dialogs by providing a standardized, upfront expression of user intent. User agents and servers are encouraged to align their implementations with evolving best practices and regulatory guidance regarding machine-readable preference signals.¶
Implementers should consult [RFC6973] for broader privacy considerations in protocol design, and Section 17 of [RFC9110] for general HTTP security guidance. In particular, any future extensions that add parameters or new values to "Cookie-Preference" SHOULD include their own privacy analysis.¶
TBD¶