these cookie changes don’t prevent all session fixation attacks. If a user has never visited victim.example.com before, evil.example.com can set a cookie for .example.com, which will be sent on the request when the user first navigates to victim.example.com. The isolated origin can mitigate this by using Host- cookies for sensitive cookies. Maybe isolated origins should be required to use Host- on all cookies.
Issue 9 in the spec:
these cookie changes don’t prevent all session fixation attacks. If a user has never visited victim.example.com before, evil.example.com can set a cookie for .example.com, which will be sent on the request when the user first navigates to victim.example.com. The isolated origin can mitigate this by using Host- cookies for sensitive cookies. Maybe isolated origins should be required to use Host- on all cookies.