Cookies

The implementation of cookies is close to recent browser's implementations. Dappy only does https therefore all cookies are forced to secure: true. Javascript have no access to cookies in any circumstances: all cookies also are forced to httpOnly: true. Only possible values for sameSite are strict or lax.

Cookies isolation

As you know, a name in dappy may be associated with many web servers, each with an IP address and SSL/TLS certificate. Cookies are always tied to a dappy name in addition to domain name (that is part of the whitelist). If mysite1 and mysite2 interact with the same web server (same host and IP address), the cookies will not be shared.

Cookies are scoped instead of being not scoped. Many web services use cookies for authentication, random websites will never be able to send requests that include cookies that were set on mysite1. Cookies isolation prevents 95%+ of CRSF attacks.

​HTTP Working Group's take on cookies, sameSite and XSS requests (2016)​