Read-Only attribute for secure cookies.

[pawelurbanski]

The ability to mark a cookie as Read-Only preferebly server-side.

This is the idea to extend the secure cookies attributes such as SameSite to the Read-Only. It is similar to HTTP-Only property. While the HTTP-Only cookies cannot be accessed or modified by Javascript the regular cookies can. The secure attribute marks them as valid only in the HTTPS context, but does not prevent Javascript from overwriting the values. The Read-Only attribute would be half-way between HTTP-Only and regular cookies.

Use cases for the attribute:

• Setting user settings or website/response flags that are important client-side and should be immutable by the Javascript yet avilable to the Javascript logic.

[annevk]

I recommend raising this at https://github.com/httpwg/http-extensions/issues. WHATWG doesn't define cookies.