If a cookie’s name begins with “__Host-”, the cookie MUST be:
1. Set with a "Secure" attribute
2. Set from a URI whose "scheme" is considered "secure" by the user
3. Sent only to the host which set the cookie. That is, a cookie
named "__Host-cookie1" set from "https://example.com" MUST NOT
contain a "Domain" attribute (and will therefore be sent only to
"example.com", and not to "subdomain.example.com").
4. Sent to every request for a host. That is, a cookie named
"__Host-cookie1" MUST contain a "Path" attribute with a value of
As I get it, subdomains should work, as the cookie can be set from “https://cloud.example.com” and then will be sent to “https://cloud.example.com” without need for “Domain” attribute, right?
Path=/ need to be set, subfolders should not work. I am not sure about the behaviour, if i.e.
index.php is shown in address field, if this also counts as path.
Also would be interesting, if __Host-cookies are set automatically, if the requirements are fulfilled or if sometimes settings need to be adjusted for that.
€: More on that from this blog post:
Same-site cookies support
The Same-site cookie support in Nextcloud 11 has been hardened even further. Same-Site cookies are a security measure supported by modern browsers that prevent CSRF vulnerabilities and protect your privacy further.
Browsers that support same-site cookies can be instructed in a way to only send a cookie if the request is originating from the original domain. This makes exploiting CSRF vulnerabilities from other domains a non-issue. Also timing attacks, such as enumerating whether a specific file or folder exists, are not feasible anymore. Nextcloud enforces the same-site cookies to be present on every request by enforcing this within the request middleware.
As hardening measure, in Nextcloud 11 we have added the __Host prefix to the cookie if the environment supports this feature. This enforces the cookie to be only sent via HTTPS and only be sent only to the host that has set this cookie. This mitigates cookie injection vulnerabilities within potential third-party software sharing the same second level domain. Note that Nextcloud does also employ regular protections against CSRF such as a shared secret between browser and client. Same-Site cookies are just considered a security hardening. More technical details about the original implementation can be read in this blog.