The latest draft of RFC6265bis has changed recently such that tab characters are allowed in cookies but all other characters should cause the whole cookie line to be discarded. From 'The Set-Cookie Header Field' section: 1. If the set-cookie-string contains a %x00-08 / %x0A-1F / %x7F character (CTL characters excluding HTAB): Abort these steps and ignore the set-cookie-string entirely. and from the 'Storage Model' section: 3. If the cookie-name or the cookie-value contains a %x00-08 / %x0A-1F / %x7F character (CTL characters excluding HTAB), abort these steps and ignore the cookie entirely. From some testing using document.cookie in Safari, it looks like all control characters except the tab character cause the cookie to be rejected if present in the name and cause the rest of the cookie line to be truncated if present in the value. To conform to the spec, it'd be ideal if all control characters except tabs anywhere in a cookie line (for cookie lines from document.cookie or in Set-Cookie headers) caused the cookie to be rejected. For reference, I used variations of the following for testing (which also demonstrates the motivation behind not having control characters truncate): function getCtlCharacters() { const ctlCodes = [...Array(0x20).keys()] .concat([0x7F]); return ctlCodes.map(i => ({ code: i, chr: String.fromCharCode(i) })) } const CTLS = getCtlCharacters(); for (const ctl of CTLS) { malicious_value = `haha${ctl.chr}haha`; // See whether HttpOnly gets ignored for easier testing, but in // an attack scenario it could be bad if Secure gets ignored document.cookie = `test${ctl.code}=` + malicious_value + "; HttpOnly"; document.cookie = `te${ctl.chr}st${ctl.code}=asdf`; } document.cookie